[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: iptables rules : two in one

Pascal Hambourg wrote:
> Franck Joncourt a écrit :
>> Andrey Kozlov wrote:
>>> with use connection tracking you can define common rules for ongoing
>>> traffic on top of you rule set:
>>> iptables -A INPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
>>> iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>>> and then add specific rules for any required services, e.g.:
>>> iptables -A OUTPUT -o eth0 -p tcp --sport $UNPRIVPORTS \
>>>       -d pop.mail.yahoo.co.uk --dport 110 -m state --state NEW -j ACCEPT
>>> iptables -A OUTPUT -o eth0 -p tcp --sport $UNPRIVPORTS \
>>>       -d pop.1and1.fr --dport 110 -m state --state NEW -j ACCEPT
>> So it means, I accept both 'established' and 'related' connections
>> from/to any ports.
> Not only any ports but also any protocol, including DNS replies, ICMP
> replies and error notifications... without the need to explicitly allow
> each of them. That's why most stateful filtering setups use these kind
> of rules. I use a slightly modified version of these rules myself (there
> are some RELATED ICMP types I don't want to accept).
>> Then, I allow 'new' connections to port 110 (for
>> pop.1and1.fr and pop.mail.yahoo.co.uk).
> Yes. So instead of setting up rules for original and return trafic, you
> just need to set up one rule for the original traffic.
>> In the end, 'established' or 'related' connections from/to port 4895,
>> for instance, will be accept, as well.
> Only after they have been first accepted as NEW.
>> Unless I am wrong, it is not really interesting in the case I have got a
>> mistake in my firewall, and accept 'new' connections from/to port 4895.
>> I allow more than I should without any reason.
> Why would you have a mistake in your firewall and accept explicitly
> traffic that you don't actually want to accept ?

You are right, there is no reason to have a mistake in my firewall ; I
just pointed out that in this case you only rely on one rule to block
outgoing traffic.
In my config file, I do not trust anything. Therefore, I drop everything
and explicitly allow what I need one by one. So, it makes it a bit messy :(!

I try to understand the rules I use, in order to get something strong ;
I did not see why I should have allowed rules I did not want. But,
according to you, it seems to be enough. In theory, I agree with you.

As I do not want to use stuff like shorewall, firestarter ... I will
take your remarks in count, have a better look at my firewall, and clean
it out.

I thank you again.

Franck Joncourt
GPG server : pgpkeys.mit.edu
Fingerprint : C10E D1D0 EF70 0A2A CACF  9A3C C490 534E 75C0 89FE

Copy addresses and emails from any email account to Yahoo! Mail - quick, easy and free. http://uk.docs.yahoo.com/trueswitch2.html

Reply to: