[CentOS] firewalld default policy = allow = no affect.
dE
de.techno at gmail.com
Tue Feb 17 03:39:43 UTC 2015
On 02/13/15 23:27, Gordon Messmer wrote:
> On 02/12/2015 08:14 PM, dE wrote:
>> Looking at the default policies of various zones, I've come to
>> realize that only the drop zone has an affect, that's because this's
>> the only one which drops unmatched packets.
>
> I'm not sure what you mean, but most firewall sets for iptables follow
> the same pattern. First, allow packets which are part of an
> established connection, or related to an established connection (such
> as an FTP data connection). Next, allow new connections by local
> policy. Finally, drop or reject everything else.
>
> The first and last parts are fairly standard. Some tools will set the
> policy to DROP, where firewalld instead terminates the rule set with a
> DROP for invalid packets and REJECT for the rest.
>
> If your point is that the INPUT table policy doesn't have an effect,
> that is by design. A DROP policy is not required, and it means that
> if a local admin resets the rule set in order to reload it, there
> won't be a moment where the POLICY is DROP and there are no ACCEPT
> rules, leaving the system potentially inaccessible.
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
But firewalld has no affect. All ports are open.
More information about the CentOS
mailing list