Re: looking for suggestions

To: Mike Mestnik <cheako911@yahoo.com>
Cc: debian-firewall@lists.debian.org
Subject: Re: looking for suggestions
From: Douglas Maxwell <doug@turinglabs.com>
Date: Tue, 11 May 2004 12:26:12 -0400
Message-id: <[🔎] 20040511162612.GI17193@turinglabs.com>
Mail-followup-to: Mike Mestnik <cheako911@yahoo.com>, debian-firewall@lists.debian.org
In-reply-to: <[🔎] 20040511161525.42937.qmail@web11902.mail.yahoo.com>
References: <[🔎] 20040511140422.GH17193@turinglabs.com> <[🔎] 20040511161525.42937.qmail@web11902.mail.yahoo.com>

On Tue, May 11, 2004 at 09:15:24AM -0700, Mike Mestnik wrote:
> > iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> > iptables -A OUTPUT -m state --state NEW -j ACCEPT
> > 
> I have seen this context used on BSD there it is manditory to allow
> "--state NEW"(with diffrent syntax) but "--state ESTABLISHED,RELATED" is
> silently added to another 'expected' table.  I was wondering what ipfilter
> NEEDs to operate?

I think you meant iptables? It doesn't absolutely *need* the
ESTABLISHED, RELATED rule, but it won't put it in by default. So if
you are accepting NEW packets, and you do not have the ESTABLISHED,
RELATED rule, you will have to explicitly allow future traffic, in
both directions. This is the way ipchains was - you could accept some
NEW connections (TCP only - by checking the SYN flag), but had to
create bi-directional rules for traffic beyond that.

Doug

Reply to:

Follow-Ups:
- Re: looking for suggestions
  - From: Mike Mestnik <cheako911@yahoo.com>

References:
- Re: looking for suggestions
  - From: Douglas Maxwell <doug@turinglabs.com>
- Re: looking for suggestions
  - From: Mike Mestnik <cheako911@yahoo.com>

Prev by Date: Re: looking for suggestions
Next by Date: Re: looking for suggestions
Previous by thread: Re: looking for suggestions
Next by thread: Re: looking for suggestions
Index(es):
- Date
- Thread