[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ssh connection survives reboot of stateful iptables router

also sprach Pascal Hambourg <pascal.mail@plouf.fr.eu.org> [2006.07.04.1505 +0200]:
> >  drop INVALID
> >  drop ! NEW
> >  drop ! --syn
> >  accept --dport ssh
> >  drop
> Very bad ! The accept rule relies on previous drop rules.

I understand the fundamental issue very well.
The things that can go wrong here are:

  - I accidentally delete or comment out one of the drop rules
  - "drop ! NEW" doesn't do the same as "!drop NEW" due to a bug
  - the universe folds in on itself

Are there any other ones I am overlooking?

Please do not send copies of list mail to me; I read the list!
 .''`.     martin f. krafft <madduck@debian.org>
: :'  :    proud Debian developer and author: http://debiansystem.info
`. `'`
  `-  Debian - when you have better things to do than fixing a system
a cigarette a day will make you fly away.

Attachment: signature.asc
Description: Digital signature (GPG/PGP)

Reply to: