Confused as Chris Griffin
Fraser Campbell
fraser-Txk5XLRqZ6CsTnJN9+BGXg at public.gmane.org
Fri Nov 28 00:53:39 UTC 2003
On November 27, 2003 05:24 pm, Keith Mastin wrote:
> > FORWARD chain "are for packets destined for other hosts"
> > Well, why am I recieving packets that arent meant for me?
>
> The firewall will accept anything first ACCEPT'ed, then not DROP'ed
I don't think that statement is completely true.
I believe with netfilter that if something is ACCEPTed then the firewalling
decision has been made, no subsequent filtering rule could cause it to be
dropped. This was a big improvement over the ipchains machinery that
processed packets going through a machine in multiple passes.
With netfilter it should work like this:
- if a rule ACCEPTs a packet then the packet is ACCEPTed regardless of any
rules that follow it
- if a packet is DROPed then the packet is DROPed regardless of any rules that
follow it
- if a packet does not match any explicit rule then the policy of the
appropriate chain (INPUT, OUTPUT, FORWARD) determines what happens to it
--
Fraser Campbell <fraser-Txk5XLRqZ6CsTnJN9+BGXg at public.gmane.org> http://www.wehave.net/
Georgetown, Ontario, Canada Debian GNU/Linux
--
The Toronto Linux Users Group. Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml
More information about the Legacy
mailing list