To add to the wonderful clarification (it is ...)
Dropping all but a few has indeed the advantage of you knowing what you want to do... you KNOW
you want HTTP, so you can open that port... you KNOW
you want ftp, so you can open THAT
port.... The other way around doesn't work as well... imagine: I KNOW
want blahblah... well, lots to think of...
Also... indeed a lot of iptables firewalls have the OUTPUT
to be open.. having a tight INPUT
gives best protection.. if you fully trust the local machine (the iptables machine), the OUTPUT
could be set open... this together with a State RELATED,ESTABLISHED
on the INPUT
chain grants communication initiated
by the local machine..
It really depends on what you want... there are two solution thoughts...:
- Security first
, drop all but a few. I don't want anything to happen that I don't know of. Any service run on your local network isn't exposed until YOU say so.
- Ease of setup
, allow but a few.. I don't want (lots of) administration about what port to open.. it needs to route my traffic, and security isn't that important.. I don't have any services opened anyways.
Hopes this adds some sense...