Quote:
What does the range beside the policy mean? (e.g. [2239:617321] vs [0:0])
|
The "range" is actually a set of counters. The first number (2239) is the total number of packets that have been processed through the chain. The second number (617321) is the number of bytes in those packets.
Quote:
what's "-" policy, is it equivalent as "ACCEPT"?
|
It's actually not a policy. The policies are only applicable to the built-in chains (INPUT/OUTPUT/FORWARD). Because RH-Firewall-1-INPUT is a user-defined chain created using the -N option (see man page), it doesn't have a policy (which is why the "-" is there).
I believe that RH has the firewall designed so that the INPUT chain dumps all packets into RH-Firewall-1-INPUT where all the filtering rules live. Technically once the packets reach the end of the RH-Firewall-1-INPUT chain, they should be passed back to the INPUT chain, however at the end of RH-Firewall-1-INPUT there is usually a REJECT rule that blocks anything that reaches the end of the chain. So it's really the equivalent of having a default INPUT policy of REJECT.