[prev in list] [next in list] [prev in thread] [next in thread] 

List:       fwtk-users
Subject:    IP Chain ruleset
From:       Dave_Chen () acml ! com
Date:       2000-10-23 20:40:18
[Download RAW message or body]

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]




Hi,
        The question is with regards to IP Chain in the Oct.
issue of Linux Journal (p42), Marcel Gagne' wrote a rule sequence
is listed below:

1>   ipchains -P input ACCEPT
2>   ipchains -A input -j ACCEPT -s 192.168.1.0/24 -d 0.0.0.0/0
3>   ipchans -A input -j ACCEPT -s 0.0.0.0/0 -d 0.0.0.0/0
4>   ipchains -A input -j DENY -p tcp -s 0.0.0.0/0 -d
259.25.132.55 137:139
5>   ipchains -A input -j DENY -p udp -s 0.0.0.0/0 -d
259.25.132.55 137:139
6>   ipchains -A input -j ACCEPT -p tcp -s 0.0.0.0/0 -d
259.25.132.55 80
7>   ipchains -A input -j DENY -s 0.0.0.0/0 -d 0.0.0.0/0

Question is this:
Line #3 is allow any source address (0.0.0.0/0) to any
destination address (0.0.0.0/0) does it not superseded  the
following lines (#4 -7)?  How can you DENY service when it is
already allowed? Does the order not matter?

Thanks.
Dave Chen

[prev in list] [next in list] [prev in thread] [next in thread]