[Shorewall-newbies] First line "ACCEPT from anywhere to anywhere" OK?

Greg Bell gregbell at znet.com
Sun Jan 18 22:11:25 PST 2004

Hi Newbie-question-answerers,

I followed the 2-interface quickstart (I have a linux box with two NICs,
one's connected to a DSL modem, the other to my home network).

After shorewall does its thing, I did a iptables -L and noticed the first
line of the INPUT policy is an ACCEPT from anywhere to anywhere:

Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
DROP      !icmp --  anywhere             anywhere           state INVALID
ppp0_in    all  --  anywhere             anywhere
eth1_in    all  --  anywhere             anywhere
common     all  --  anywhere             anywhere
LOG        all  --  anywhere             anywhere           LOG level info
prefix `Shorewall:INPUT:REJECT:'
reject     all  --  anywhere             anywhere

Is this bad?  There's a later reject, but is iptables like ipchains where
the first rule that matches is the one that applies?

Thanks for the time,

~Greg Bell

Here's my required info:

# shorewall version

# ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet brd scope host lo
4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:40:95:31:d5:cc brd ff:ff:ff:ff:ff:ff
5: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:40:95:31:d2:ca brd ff:ff:ff:ff:ff:ff
    inet brd scope global eth1
6: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1492 qdisc pfifo_fast qlen 3
    inet peer scope global ppp0

# ip route show dev ppp0  proto kernel  scope link  src dev eth1  scope link dev eth1  scope link dev lo  scope link
default via dev ppp0

Greg Bell 858-755-1915    (try gbell_spamless at yahoo.com if mail to me bounces)

More information about the Shorewall-newbies mailing list