Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]
On 11 Sep 2004, Jonas Meurer wrote:
> On 09/09/2004 Mike Mestnik wrote:
[...]
>> You would think that NEW,ESTABLESHED,RELATED might match every pkt, this
>> might be bad. This is not the case I'm sure. For example you woulden't
>> want to accept TCP data for a "logical connection" that we have not seen a
>> SYN(connection request) for.
I don't know where the OP got the idea that matching on those three
characteristics would match "every packet", but it is wrong.
This will allow any packet that is the start of a new connection (NEW),
part of an established connection (ESTABLISHED) or related to an
established connection (RELATED).
A random packet that does not start a connection, and that is not part
of an existing connection, will not be matched.
> so you suggest what? after you told me that ESTABLISHED and RELATED are
> also important for input, now the input rule is:
[...]
> do you mean that i now accept tcp data for connections that have no
> connection request. you mean spoofing attacs?
No. You now have something that achieves what you want. The OP is
confused about the meaning of the state match "state" values.
Daniel
--
I am constantly amazed when I talk to young people to learn
how much they know about sex and how little about soap.
-- Billie Burke
Reply to: