Re: ssh connection survives reboot of stateful iptables router
martin f krafft a écrit :
on the basis that it's not okay to drop bad packets before
accepting good packets, the following would not be okay even though
they're logically equivalent?
I want to make things clear : dropping packets first is not bad ; what
is bad is accepting packets with the assumption that they meet certain
requirements based on the fact that packets wich don't meet these
requirements were dropped or rejected before by a previous rule.
accept NEW --dport ssh --syn
Good. All the requirements are in the accept rule, so it does not rely
on previous drop rules.
drop ! NEW
drop ! --syn
accept --dport ssh
Very bad ! The accept rule relies on previous drop rules.
Ideally, you should not need any drop rules except at the very end of
the chain (or as the chain default policy, which of course must be
DROP). However you may have some drop rules for performance issues, to
avoid examination of the remaining rules. For instance, if you have a
user-defined chain containing all the rules for a given interface, you
can append a drop rule at the end of this chain so rules for other
interfaces are not examined.