From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by nuthatch.gentoo.org with esmtp (Exim 4.54) id 1FX1We-0006Ha-LS for garchives@archives.gentoo.org; Fri, 21 Apr 2006 19:42:45 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.13.6/8.13.6) with SMTP id k3LJfZBC028109; Fri, 21 Apr 2006 19:41:35 GMT Received: from smtp17.wxs.nl (smtp17.wxs.nl [195.121.247.8]) by robin.gentoo.org (8.13.6/8.13.6) with ESMTP id k3LJbSnr012209 for ; Fri, 21 Apr 2006 19:37:28 GMT Received: from graskamp (ip51cfa1ef.direct-adsl.nl [81.207.161.239]) by smtp17.wxs.nl (iPlanet Messaging Server 5.2 Patch 2 (built Jul 14 2004)) with ESMTP id <0IY3005NU7U6N2@smtp17.wxs.nl> for gentoo-user@lists.gentoo.org; Fri, 21 Apr 2006 21:37:18 +0200 (CEST) Date: Fri, 21 Apr 2006 21:36:56 +0200 From: Benno Schulenberg Subject: Re: [gentoo-user] netfilter: -P INPUT DROP in kernel In-reply-to: <444820A8.30105@web.de> To: gentoo-user@lists.gentoo.org Message-id: <200604212136.56507.benno.schulenberg@gmail.com> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-version: 1.0 Content-type: text/plain; charset=iso-8859-1 Content-transfer-encoding: 7BIT Content-disposition: inline User-Agent: KMail/1.9.1 References: <444820A8.30105@web.de> X-Archives-Salt: 74b6ec0d-e26f-45b4-bdf6-88cfeedb68ac X-Archives-Hash: f0e1807b0f5006d556f54218e3a59a2f Daniel Waeber wrote: > I was looking for a way to set the default rule for the INPUT > chain to DROP. I do not want to change the rule with iptables -P > INPUT DROP after loading the kernel, I want that the > kernel/modules automatically DROPS everything after it has been > loaded. > You can do this with the FORWARD chain with the parameter > forward=0, but nothing is implemented for the INPUT chain as far > as i know. I looked inside the kernel source of the modules, and > hey, it is easy to change. I recompiled the module, reloaded it. > Perfect, now i have default DROP. > But as it is so easy to edit, why is there no option in the > kernel or a parameter for the module Make a patch that adds this parameter, allowing one to set the default policy for the input chain (and output chain too), and submit it to the kernel list. Or show it here first. I'd be interested. (By the way, please do not reply to another message when starting a new topic.) Benno -- gentoo-user@gentoo.org mailing list