Re: iptables rules : two in one
Pascal Hambourg wrote:
> Franck Joncourt a écrit :
>> Andrey Kozlov wrote:
>>
>>> with use connection tracking you can define common rules for ongoing
>>> traffic on top of you rule set:
>>>
>>> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>>> iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>>>
>>> and then add specific rules for any required services, e.g.:
>>>
>>> iptables -A OUTPUT -o eth0 -p tcp --sport $UNPRIVPORTS \
>>> -d pop.mail.yahoo.co.uk --dport 110 -m state --state NEW -j ACCEPT
>>>
>>> iptables -A OUTPUT -o eth0 -p tcp --sport $UNPRIVPORTS \
>>> -d pop.1and1.fr --dport 110 -m state --state NEW -j ACCEPT
>>>
>>
>> So it means, I accept both 'established' and 'related' connections
>> from/to any ports.
>
> Not only any ports but also any protocol, including DNS replies, ICMP
> replies and error notifications... without the need to explicitly allow
> each of them. That's why most stateful filtering setups use these kind
> of rules. I use a slightly modified version of these rules myself (there
> are some RELATED ICMP types I don't want to accept).
>
>> Then, I allow 'new' connections to port 110 (for
>> pop.1and1.fr and pop.mail.yahoo.co.uk).
>
> Yes. So instead of setting up rules for original and return trafic, you
> just need to set up one rule for the original traffic.
>
>> In the end, 'established' or 'related' connections from/to port 4895,
>> for instance, will be accept, as well.
>
> Only after they have been first accepted as NEW.
>
>> Unless I am wrong, it is not really interesting in the case I have got a
>> mistake in my firewall, and accept 'new' connections from/to port 4895.
>> I allow more than I should without any reason.
>
> Why would you have a mistake in your firewall and accept explicitly
> traffic that you don't actually want to accept ?
>
>
You are right, there is no reason to have a mistake in my firewall ; I
just pointed out that in this case you only rely on one rule to block
outgoing traffic.
In my config file, I do not trust anything. Therefore, I drop everything
and explicitly allow what I need one by one. So, it makes it a bit messy :(!
I try to understand the rules I use, in order to get something strong ;
I did not see why I should have allowed rules I did not want. But,
according to you, it seems to be enough. In theory, I agree with you.
As I do not want to use stuff like shorewall, firestarter ... I will
take your remarks in count, have a better look at my firewall, and clean
it out.
I thank you again.
--
Franck Joncourt
http://www.debian.org
http://smhteam.info/wiki/
GPG server : pgpkeys.mit.edu
Fingerprint : C10E D1D0 EF70 0A2A CACF 9A3C C490 534E 75C0 89FE
___________________________________________________________
Copy addresses and emails from any email account to Yahoo! Mail - quick, easy and free. http://uk.docs.yahoo.com/trueswitch2.html
Reply to: