Iptables

Bradley J. Bartram bradbartram at ccsisp.com
Mon Aug 11 12:35:40 EDT 2003


The first one reached is the first one matched.  That's the reason your 
generic deny or allow is normally the final chain.

brad

On Monday 11 August 2003 12:21 pm, Ray Cherry wrote:
> Does anyone know what happens.. if a packet would...
> could techinicaly match 2 different chains.... nad
> having a different outcome on each....
>
> for instance
>   -A some_chain -d 192.168.1.0/24 -p tcp -m multiport
> "some ports"
>
>   -A some_other_chain  -o -dport "#" -j accept
>
> if the dport "#" is not listed the "some ports" what
> will to a packet destined for the internal network but
> is not listed in "some ports"
>
> For organizational purposes I have decided not to
> simply add dport "#" to the "some ports"
>
> Ray
>
> __________________________________
> Do you Yahoo!?
> Yahoo! SiteBuilder - Free, easy-to-use web site design software
> http://sitebuilder.yahoo.com




More information about the nflug mailing list