---
title: Ensure nftables Default Deny Firewall Policy
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > Ensure nftables Default Deny Firewall
  Policy
---

# Ensure nftables Default Deny Firewall Policy
 
## Description{% #description %}

Base chain policy is the default verdict that will be applied to packets reaching the end of the chain. There are two policies: accept (Default) and drop. If the policy is set to accept, the firewall will accept any packet that is not configured to be denied and the packet will continue traversing the network stack. Run the following commands and verify that base chains contain a policy of DROP.

```

$ nft list ruleset | grep 'hook input'
type filter hook input priority 0; policy drop;
$ nft list ruleset | grep 'hook forward'
type filter hook forward priority 0; policy drop;
$ nft list ruleset | grep 'hook output'
type filter hook output priority 0; policy drop;
```

## Rationale{% #rationale %}

It is easier to allow acceptable usage than to block unacceptable usage.

## Warning{% #warning %}

Changing firewall settings while connected over network can result in being locked out of the system.