(Please Cc: any subsequent reply to the public tails-dev@??? ML.)
> It seems that the default policy should always be DENY, rather
> than ACCEPT.
The filter table policies are set to DROP, so let's assume you're
talking of the nat table.
If we'd set the nat table policies to DROP, we would have to
duplicate all our white-list rules from the filter table to the
nat table, which means more maintenance work, so unless we're
shown practical issues that are created by leaving the current
ACCEPT policies in the nat table, I doubt we'll change this.