Very Computer

I am just curious about something I have just read after got to the LFWTK
site.

If the default policy both in and out is set to DENY, why then are rules
appended eg:
ipchains -A input -i net1 --destination-port 23 -j DENY -l

Doesn't that just add more to the processing time?  Does ipchains operate
the same as ipfilter under OpenServer/BSD?

--
Wayne Jackson

http://www.powerup.com.au/~wjackson  --  Web Development
http://www.ozemail.com.au/~wmjackson --  SCO OpenServer Installation
http://users.bigpond.net.au/warp_kez --  SCO OpenServer Cable Connectivity

[snip]

Quote:> If the default policy both in and out is set to DENY, why then are rules
> appended eg:
> ipchains -A input -i net1 --destination-port 23 -j DENY -l

> Doesn't that just add more to the processing time?  Does ipchains operate
> the same as ipfilter under OpenServer/BSD?

Nope, and nope. When a rule matches, it stops processing.

Sometimes it's useful to have a *log* of things - otherwise how do you know
how well your firewall's performing?

~Tim
--

                                                | http://piglet.is.dreaming.org

Quote:> If the default policy both in and out is set to DENY, why then are rules
> appended eg:
> ipchains -A input -i net1 --destination-port 23 -j DENY -l

-l switch is used for loging packets. This command allows matching paquets
to get loged.

Quote:> Doesn't that just add more to the processing time? Does ipchains operate
> the same as ipfilter under OpenServer/BSD?

No, ipchains is a static sequential filter : when a rule match the paquet,
processing stops.
Using DENY even in a chain with DENY policy may be sometimes useful. For
example, if you want to allow a whole subnet except one host in this subnet,
you'll do it like this :
    ipchains -A input -s <banned_host> -j DENY
    ipchains -A input -s <subnet> -j ACCEPT