Re: Connection states information tables
--- Lorenzo Rossi <condor_rl@libero.it> wrote:
>
> Hi,
> i have a question concerning the tables where are maintained the
> informations about the connections state.
> I configured my firewall script with the following lines, to permit the
> SSH traffic originated from the protected zone to go to Internet.
>
> iptables -A TCP_IN -i $INTERFACE -p tcp --sport 22 -m state --state
> ESTABLISHED -J ACCEPT
>
> iptables -A TCP_OUT -o $INTERFACE -p tcp --dport 22 -m state --state
> NEW,ESTABLISHED -j ACCEPT
>
> The custom chain TCP_IN is listed in the default INPUT chain.
> The custom chain TCP_OUT is listed in the dafault OUTPUT chain.
> The dafault policy for the INPUT and OUTPUT chains, as you can imagine,
> is to DROP.
>
> My question is:
> How many state tables are used? one table for each main chain?
> One for INPUT and one for OUTPUT?
>
> I'm a bit confused..... :)
>
So are most of us. These questions are not documented, so we are left to
experiment and guess.
There should be a state table for each pair of outgoing and incomming,
thought I'm not sure this is true.
In any case for each OUTGOING pkt there should be state to accept the
corisponding INCOMING packet. Wather the interface this pkt is expected
to arrive on is stored is beyond me. I would hope that in the future we
would be able to accept pkts that are destin to arrive on interface A on
interface B.
> Thanks
> Lorenzo
>
>
> --
> To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
>
>
_______________________________
Do you Yahoo!?
Declare Yourself - Register online to vote today!
http://vote.yahoo.com
Reply to: