also sprach Pascal Hambourg <pascal.mail@plouf.fr.eu.org> [2006.07.04.1222 +0200]: > > -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT > > -A INPUT -m conntrack --ctstate NEW -p tcp --syn -j open-tcp-ports > > -A INPUT -m conntrack --ctstate NEW -p udp -j open-udp-ports > > > > -A open-tcp-ports --dport 22 -j ACCEPT > > Yes. You just need to add the protocol match (-p tcp) again, because the > --dport match is valid only with TCP and UDP. Right. One other question before I go and try out what I learnt today: on the basis that it's not okay to drop bad packets before accepting good packets, the following would not be okay even though they're logically equivalent? accept ESTABLISHED,RELATED drop INVALID accept NEW --dport ssh --syn drop and accept ESTABLISHED,RELATED drop INVALID drop ! NEW drop ! --syn accept --dport ssh drop ? Thanks guys for your patience. ... and I thought I had moderately understood this stuff. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <madduck@debian.org> : :' : proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system "an intellectual is someone who has found something more interesting than sex." -- edgar wallace
Attachment:
signature.asc
Description: Digital signature (GPG/PGP)