[KLUG Members] ACCEPT all -- anywhere anywhere, eh?
Adam Williams
members@kalamazoolinux.org
09 Jan 2003 21:42:32 -0500
>>Is the redhat firewall config tool goobered?
>Dunno, we can discuss what "goobered" means somewhere else.
A goober is a peanut. What goobered means is open to interpretation.
>>Chain INPUT (policy ACCEPT)
>>target prot opt source destination
>>RH-Lokkit-0-50-INPUT all -- anywhere anywhere
>>...
>>Chain RH-Lokkit-0-50-INPUT (1 references)
>>target prot opt source destination
>>ACCEPT tcp -- anywhere anywhere tcp dpt:http
>>flags:SYN,RST,ACK/SYN
>>ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
>>flags:SYN,RST,ACK/SYN
>>ACCEPT all -- anywhere anywhere
>>ACCEPT udp -- k2.iserv.net anywhere udp spt:domain
>>ACCEPT udp -- everest.iserv.net anywhere udp spt:domain
>>REJECT tcp -- anywhere anywhere tcp
>>flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable
>>REJECT udp -- anywhere anywhere udp reject-with
>>icmp-port-unreachable
>>Doesn't the "ACCEPT all -- anywhere anywhere" negate all the rules below it?
>UM, it would probably obviate them, yes. I have this little munchkin on my
>shoulder (perhaps a degooberizer, or maybe a degooberator?) that tells me the
>"all" ought to be a "tcp".
Thats pretty much what I thought.
>However, I don't really like this whole setup, mostly 'cuz I prefer a policy
>of REJECT or DENY... why they don't do this isn't clear to me. The stateful
>nature of some rules is helpful, though.
It does seem an odd way to go about things.