[CentOS] firewalld default policy = allow = no affect.
Gordon Messmer
gordon.messmer at gmail.com
Fri Feb 13 17:57:55 UTC 2015
On 02/12/2015 08:14 PM, dE wrote:
> Looking at the default policies of various zones, I've come to realize
> that only the drop zone has an affect, that's because this's the only
> one which drops unmatched packets.
I'm not sure what you mean, but most firewall sets for iptables follow
the same pattern. First, allow packets which are part of an established
connection, or related to an established connection (such as an FTP data
connection). Next, allow new connections by local policy. Finally,
drop or reject everything else.
The first and last parts are fairly standard. Some tools will set the
policy to DROP, where firewalld instead terminates the rule set with a
DROP for invalid packets and REJECT for the rest.
If your point is that the INPUT table policy doesn't have an effect,
that is by design. A DROP policy is not required, and it means that if
a local admin resets the rule set in order to reload it, there won't be
a moment where the POLICY is DROP and there are no ACCEPT rules, leaving
the system potentially inaccessible.
More information about the CentOS
mailing list