> > > I think the idea is that nothing is accepted it depends on policy (-P): either ACCEPT, REJECT or DROP
> unless it is in response to > a request. > You must enable it explicitly, i.e. -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT > What's to stop some spurious instructions being sent in response to > genuine request? Packets do not contain instructions, only data. If your TCP/IP implementation doesn't have vulnerabilities any packet shouldn't be a problem. Firewall prevents technically legal packets from reaching software that shouldn't be accessible from the Internet. In most cases a hacker finds an opened port (port listened to by some daemon) and connects to it. Firewall prevents hacker from doing it.