LinuxQuestions.org - [SOLVED] iptables ruleset question

Hi everyone.

I have a question concerning iptables. For years I used to write my rules and chains on my own. Unfortunately, most of my users don't know how to do that on their machines, so I was condemned to check out some tools.

On my machine, the firewall manager I am testing for the users in my network insists on putting an accept all to everywhere rule infront of the INPUT chain, like so:

Code:

Chain INPUT (policy DROP)

target    prot opt source              destination

ACCEPT    all  --  anywhere            anywhere

ACCEPT    all  --  anywhere            anywhere            state ESTABLISHED

ACCEPT    icmp --  anywhere            anywhere            state RELATED

input_ext  all  --  anywhere            anywhere

input_ext  all  --  anywhere            anywhere

input_ext  all  --  anywhere            anywhere

LOG        all  --  anywhere            anywhere            limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-IN-ILL-TARGET '

DROP      all  --  anywhere            anywhere

I don't get it. Doesn't this make the rest of the chain obsolete? The first rule matching is the first rule in any package, the rest of the chain should never be processed. Just what idea of firewalling is this?

Please tell me if I'm wrong here.

thx