Looks like it's deferring "everything" sending to another chain, like a sub grouping, where it allows tcp/4643 for management, or moves on with the rest of the main input chain tree for the tcp/80 allows. Object oriented acl's, not unlike object-group's in cisco or most firewall platforms. It's easiest for them to maintain another list of "management" protocols as a separate chain programatically as that *should* always be present to at least restore usability from a base-build. This is usually some blend of secure administration and usability on a canned vps build. They assume so long as you don't delete that management chain getting frisky, you can get in and click a "magic reprovision and make go" button to restore new if you screw it up that bad. Anything user-added provision by default not setting the other specific chain just add to the main input chain past that for parsing allows normally. -mb On 06/04/2012 04:59 PM, AZ Pete wrote: > Hi All, > > I'm in the process of setting up a new Virtual Private Server and am > using Plesk to configure to firewall (among other things). > > I have the firewall configured how I want it within Plesk. However, when > I SSH into the box and list the firewall rules (using iptables -L -n) I > get way more rules than I setup within Plesk. I'm thinking that there > must be several rules that were there beforehand as default from the > hosting provider. One thing I do notice, however, is that for a given > chain (in this case Input chain) the very first rule is: > -A INPUT -j VZ_INPUT > > The INPUT chain looks something like this (as given by iptables -L -n): > > Chain INPUT (policy DROP) > target prot opt source destination > VZ_INPUT all -- 0.0.0.0/0 0.0.0.0/0 > ACCEPT tcp -- 190.93.240.0/20 0.0.0.0/0 tcp dpt:80 > ACCEPT tcp -- 108.162.192.0/18 0.0.0.0/0 tcp dpt:80 > > blah, blah..... > > Chain VZ_INPUT (1 references) > target prot opt source destination > ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:4643 > ... all the rest of the rules I entered in Plesk.... > > VZ_INPUT is a user-defined rule that Plesk puts in and that chain has > all the rules I entered in the Plesk panel. > My question is: if the above VZ_INPUT rule is the very first rule in the > INPUT chain, does that mean for all input packets jump to the VZ_INPUT > chain and process those rules, thus bypassing all the other inputs? > > The same sort of layout is also present for the OUTPUT & FORWARD chains. > > Any thoughts are appreciated. > Thanks, > Peter > > > > > > > > --------------------------------------------------- > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us > To subscribe, unsubscribe, or to change your mail settings: > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss --------------------------------------------------- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change your mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss