Re: looking for suggestions

To: Douglas Maxwell <doug@turinglabs.com>
Cc: debian-firewall@lists.debian.org
Subject: Re: looking for suggestions
From: Mike Mestnik <cheako911@yahoo.com>
Date: Tue, 11 May 2004 09:46:46 -0700 (PDT)
Message-id: <[🔎] 20040511164646.48443.qmail@web11902.mail.yahoo.com>
In-reply-to: <[🔎] 20040511162612.GI17193@turinglabs.com>

I guess what I was asking is do you NEED the --state NEW to use the other
states, like in BSD?

--- Douglas Maxwell <doug@turinglabs.com> wrote:
> On Tue, May 11, 2004 at 09:15:24AM -0700, Mike Mestnik wrote:
> > > iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> > > iptables -A OUTPUT -m state --state NEW -j ACCEPT
> > > 
> > I have seen this context used on BSD there it is manditory to allow
> > "--state NEW"(with diffrent syntax) but "--state ESTABLISHED,RELATED"
> is
> > silently added to another 'expected' table.  I was wondering what
> ipfilter
> > NEEDs to operate?
> 
> I think you meant iptables? It doesn't absolutely *need* the
> ESTABLISHED, RELATED rule, but it won't put it in by default. So if
> you are accepting NEW packets, and you do not have the ESTABLISHED,
> RELATED rule, you will have to explicitly allow future traffic, in
> both directions. This is the way ipchains was - you could accept some
> NEW connections (TCP only - by checking the SYN flag), but had to
> create bi-directional rules for traffic beyond that.
> 
> Doug
> 
> 



	
		
__________________________________
Do you Yahoo!?
Win a $20,000 Career Makeover at Yahoo! HotJobs  
http://hotjobs.sweepstakes.yahoo.com/careermakeover

Reply to:

Follow-Ups:
- Re: looking for suggestions
  - From: Douglas Maxwell <doug@turinglabs.com>

References:
- Re: looking for suggestions
  - From: Douglas Maxwell <doug@turinglabs.com>

Prev by Date: Re: looking for suggestions
Next by Date: Re: looking for suggestions
Previous by thread: Re: looking for suggestions
Next by thread: Re: looking for suggestions
Index(es):
- Date
- Thread