Quote:
Originally Posted by sportsman667
... Using Iptables I am trying to implement the following policy: im trying to permit all outgoing connections, permit incoming ICMP, permit incoming ssh, permit incoming finger connections ,and reject all other packets.
|
I'll just add a couple of comments about definitions (just in case they cause confusion later)....
A policy is essentially a default. In other words, its the rule that gets matched by packets that don't match any of the explicit rules. So it is usually something like drop or reject.
(The more secure approach is generally felt to be:
rule 1: if it is this kind of packet, do this
.
.
rule n: .
everything else, forget about
but you could, if you were careful, do:
rule 1: if it is this bad thing, forget about it
.
.
rule n:
everything else, accept
the first system has a
policy of forgetting about packets that come its way and the second of accepting. You'd have to be very careful about the second and it is not generally advisable.)
Secondly, you refer to rejecting. Its a close decision in some cases, but most people, most of the time, prefer to drop undesired/unsolicited packets. Reject sends an error message and that error message may be useful to someone trying to hack your system, in that it acts as confirmation that someone is there. (Mind you, if you are responding to ping packets, you are already telling the world that you exist, if they ask.)