Re: Iptables config
* Quoting Mathias Palm (Mathias.Palm@gmx.net):
> > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> Sorry, I dont get that. The manpage says:
>
> ...ESTABLISHED meaning that the
> packet is associated with a connection which has
> seen packets in both directions...
> ^^^^
> But if I initiate a connection, it shouldn't have seen packages in both
> directions, should it? What am I missing?
That's for the FORWARD-Chain. In the INPUT-Chain,
you only have one Direction, so it sees
syn,ack-package and treats the connection
as established.
> ...RELATED meaning that the packet is starting a new connection,
> but is associated with an existing connection, such
> as an FTP data transfer, or an ICMP error...
That's where the protocoll-helpers come into
place. The keep track of what's happening at the
protocol-level and see, when a data-connection is
requested. That also makes them potentially
more vulnerable to exploits.
> How does iptables find out, that a newly initiated connection is related
> to another existing one? By process number, by vicinity in time or
> something other?
In the FTP-case it sees the PORT-command inside
the ftp-connection. With other connections it uses
some sort of heuristics. You could also say it
kind of guesses.
- Rolf
--
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: