also sprach Pascal Hambourg <pascal.mail@plouf.fr.eu.org> [2006.07.04.1222 +0200]:
> > -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> > -A INPUT -m conntrack --ctstate NEW -p tcp --syn -j open-tcp-ports
> > -A INPUT -m conntrack --ctstate NEW -p udp -j open-udp-ports
> >
> > -A open-tcp-ports --dport 22 -j ACCEPT
>
> Yes. You just need to add the protocol match (-p tcp) again, because the
> --dport match is valid only with TCP and UDP.
Right. One other question before I go and try out what I learnt
today: on the basis that it's not okay to drop bad packets before
accepting good packets, the following would not be okay even though
they're logically equivalent?
accept ESTABLISHED,RELATED
drop INVALID
accept NEW --dport ssh --syn
drop
and
accept ESTABLISHED,RELATED
drop INVALID
drop ! NEW
drop ! --syn
accept --dport ssh
drop
?
Thanks guys for your patience.
... and I thought I had moderately understood this stuff.
--
Please do not send copies of list mail to me; I read the list!
.''`. martin f. krafft <madduck@debian.org>
: :' : proud Debian developer and author: http://debiansystem.info
`. `'`
`- Debian - when you have better things to do than fixing a system
"an intellectual is someone who has found
something more interesting than sex."
-- edgar wallace
Attachment:
signature.asc
Description: Digital signature (GPG/PGP)