Hi! I'm running CentOS 7. Looking at the default policies of various zones, I've come to realize that only the drop zone has an affect, that's because this's the only one which drops unmatched packets.
Gordon Messmer
2015-Feb-13 17:57 UTC
[CentOS] firewalld default policy = allow = no affect.
On 02/12/2015 08:14 PM, dE wrote:> Looking at the default policies of various zones, I've come to realize > that only the drop zone has an affect, that's because this's the only > one which drops unmatched packets.I'm not sure what you mean, but most firewall sets for iptables follow the same pattern. First, allow packets which are part of an established connection, or related to an established connection (such as an FTP data connection). Next, allow new connections by local policy. Finally, drop or reject everything else. The first and last parts are fairly standard. Some tools will set the policy to DROP, where firewalld instead terminates the rule set with a DROP for invalid packets and REJECT for the rest. If your point is that the INPUT table policy doesn't have an effect, that is by design. A DROP policy is not required, and it means that if a local admin resets the rule set in order to reload it, there won't be a moment where the POLICY is DROP and there are no ACCEPT rules, leaving the system potentially inaccessible.
On 02/13/15 23:27, Gordon Messmer wrote:> On 02/12/2015 08:14 PM, dE wrote: >> Looking at the default policies of various zones, I've come to >> realize that only the drop zone has an affect, that's because this's >> the only one which drops unmatched packets. > > I'm not sure what you mean, but most firewall sets for iptables follow > the same pattern. First, allow packets which are part of an > established connection, or related to an established connection (such > as an FTP data connection). Next, allow new connections by local > policy. Finally, drop or reject everything else. > > The first and last parts are fairly standard. Some tools will set the > policy to DROP, where firewalld instead terminates the rule set with a > DROP for invalid packets and REJECT for the rest. > > If your point is that the INPUT table policy doesn't have an effect, > that is by design. A DROP policy is not required, and it means that > if a local admin resets the rule set in order to reload it, there > won't be a moment where the POLICY is DROP and there are no ACCEPT > rules, leaving the system potentially inaccessible. > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centosBut firewalld has no affect. All ports are open.