[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: secured server policies

On 2008-11-08 daniel wrote:
> Ansgar Wiechers wrote:
>> On 2008-11-08 daniel wrote:
>>> In the rule iptables -A INPUT -p udp --sport 53 -m state --state
>>> ESTABLISHED,RELATED -j ACCEPT, the module state is not necessary,
>>> because it uses UDP, although it works.
>>>
>>> So, the correct form is:
>>> iptables -A INPUT -p udp -j ACCEPT
>> 
>> Wrong. netfilter does keep track even of UDP connections, so a rule
>> checking for state ESTABLISHED,RELATED will match only those packets
>> that relate to some other connection. Which usually is what you want
>> at that point.
> 
> Hummm, I thought that ESTABLISHED,RELATED worked with SYN, SYN/ACK,
> etc... Please, do you know where do I learn more about that?

Unless you are capable of reading (and understanding) the netfilter
source code, I'd suggest to start with the iptables man-page and the
documentation on netfilter.org, and then experiment on your own. Logging
rules will allow you to check what is or isn't matched as well as follow
the route of packets going through the chains.

IMHO practice (in a test environment) is the best way to get a feel for
how netfilter works.

Regards
Ansgar Wiechers
-- 
"The Mac OS X kernel should never panic because, when it does, it
seriously inconveniences the user."
--http://developer.apple.com/technotes/tn2004/tn2118.html
Reply to: