Quote:
Originally Posted by nicedream
That is exactly what your firewall should do with all traffic that you have not explicitly allowed.
|
Apart from when you need to flush or re-initialize it. This is a dangerous form of filtering.
Quote:
Originally Posted by nicedream
I wasn't talking about a few minutes while troubleshooting. See my first post in this thread where I recommended that the original poster remove all his rules to see if he could connect via SSH. I was talking about the iptables rules that a server runs on a regular day-to-day basis.
|
but what you suggest would turn a few minutes of what maybe required troubleshooting into a long period blackhole.
Quote:
Originally Posted by nicedream
Which is why you add an explicit rule to allow SSH connections through, and possibly even restrict that to allow only your IP address (if you have a static IP).
|
Right, and this itself should be handled by a rule, not a policy. If your rules are completed the last rule on the chain should be reject all, there is simply no reasonable reason why you should be relying on a fall back to the policy. However if you need to flush the firewall for whatever reason, you need to be able to get back into the server to reconfigure the firewall, thus there is reasonable reason to have an accept policy, this is why firewalls on a lot, if not most distributions default to this type of set-up.