What are the differences between policies and rules?

    Requires Free Membership to View

Policies and rules perform two distinct functions:

Policies represent the default behavior of your iptables firewall. They tell iptables what to do if no rule deals with a particular packet. There are three possible policies you can set: ACCEPT, REJECT or DROP. Respectively, these either tell iptables to accept the packet, reject the packet and return an error message, or drop the packet without sending an error message. Policies are applied only to the three default chains in iptables: INPUT, OUTPUT, and FORWARD. An example of the policy in action is if you have a packet that wants to be forwarded through your host. Netfilter checks and finds that no rule in your firewall matches that packet. Hence the firewall's response will be based on how its policy is configured. If you have set the default policy of the FORWARD chain to ACCEPT then the firewall will forward the packet on. If you set the policy to DROP then the packet will be dropped. The best default policy setting for your firewall is DROP -- you should only allow packets in, out and forwarded through your host if you explicitly grant that access.

Rules represent the individual rules that you can tailor to respond to different packets. They are far more granular than policies. Each rule has a series of criteria specified that match it to a particular type of packet, for example, only TCP packets incoming to port 80 from a particular interface. The rule also has an associated action that determines what the firewall should do with the packet if it matches the criteria of the rule. There are a number of potential actions and the Netfilter firewall can be very flexible about how it responds to traffic.

This was first published in August 2005

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: