[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: iptables and apt-get

---------------------- Weitergeleitet von Thomas Sudbrak/FI/Stockhausen/DE
am 11.09.2001 09:30 ---------------------------

Lindsay Allen <allen@cleo.murdoch.edu.au>@elm.cbcfreo.wa.edu.au> am
10.09.2001 16:46:24

Gesendet von:  Lindsay Allen <allen@elm.cbcfreo.wa.edu.au>

An:    <debian-firewall@lists.debian.org>
Kopie: <Thomas.Sudbrak@stockhausen.com>
Thema: Re: Antwort: iptables and apt-get

> Hello Thomas,
> Problem solved.

Good to hear :-)

> ...
> Instead of having one "-m state" rule Brad has a separate one for each
> service.  I have followed his lead without quite knowing just what is
> gained.  Maybe it limits what an intruder can do if he does get into the
> system.

I don't know if this is really necessary since a connection should only
be assigned the status ESTABLISHED by the kernel if it has really been
established; since all "initiating" packets (e.g. sync packets for TCP,
UDP with destination port 53 (domain)) should be carefully considered
anyway, it should be sufficient to set up explicite rules (i.e. addresses,
protocols, port numbers) there.  Imho, specifying these parameters also for
ESTABLISHED and RELATED packets can only add security to buggy kernels
(as it was the case with 2.4.3 and ftp).  Could anyone comment, please?

> So I am indebted to you for your support and very much appreciate the
> help.  Thanks also to Michael Wood and Raffael Ferenc for their
> contributions.

You're welcome.

> Regards,
> Lindsay
> grandfather, ex pilot and Linux enthusiast


Reply to: