Reply to Message

I'll admit that it's been a LOOOOONG time since I've hacked together my own iptables ruleset (I usually take the default rules that come with RHEL, and let BFD add rules automagically as needed), but I thought that iptables does a "first match" algorithm?

Thus, if you have a DROP rule, specifying the TCP protocol but no ports, it will deny unrelated packets from passing further down the chain.

As Jack says, this is a great rule for hosts (particularly workstations) that have no services for external consumption, but it shouldn't be the first rule on a server-class box.

Can anyone confirm please?