All,

Good morning and thanks for reading this. Below are firewall rules developed by fc6. Good rule practice seems to advocate first DROP and then adding exceptions. These rules start with ACCEPT. Is that a correct assumption? If so where are the DROP rules?

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 2049 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 110 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 110 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

Thanks - Dan

the rules you posted aren't using DROP - they are using REJECT... it's the last rule in the chain... so basically any packet which doesn't match any rule before the REJECT one will get sent to REJECT (and an icmp-host-prohibited respones will be sent back to the source)...

What do these lines do?

:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

It seems as though they accecp everything. The [0:0] syntax is unclear.

- Dan

those lines are showing you the policy you have set for the three chains in the filter table... in your case they are all set to ACCEPT... one would optimally want to have the INPUT chain's policy set to DROP (IMHO), but for whatever reason Red Hat based distros like to set it to ACCEPT and then stick a REJECT rule at the bottom of the chain, as in your case...

the 0:0 thing is a counter... it shows the number of packets and bytes (respectively) that have traversed the chain since it was last zeroed... yours were either zeroed right before the config was saved, or hadn't been used yet...

what stands for?

it's the name of a non-built-in chain...

the only rule in the INPUT chain sends all packets to the RH-Firewall-1-INPUT chain...