Re: iptables and apt-get

To: <debian-security@lists.debian.org>
Subject: Re: iptables and apt-get
From: "Ian Goodall" <ijg@iangoodall.co.uk>
Date: Tue, 11 Mar 2003 19:08:42 -0000
Message-id: <[🔎] 019601c2e801$a1b39f30$650a10ac@EVESHAM>
References: <[🔎] ADF6087CA978A4418AF7F76DDCF2F721EDD989@europa.ats.sensis.com>

No no. I have had been having the problem for quite a few days :( besides I
also use the www.mirror.ac.uk service too!
----- Original Message -----
From: "Desai, Jason" <jase@sensis.com>
To: <debian-security@lists.debian.org>
Sent: Tuesday, March 11, 2003 5:48 PM
Subject: RE: iptables and apt-get


> Hi.  My guess is that security.debian.org was not available when you tried
> it (there were other posts to this list indicating that the server was
> down).  So you were getting icmp errors back.  The RELATED state allows
> this.  If security.debian.org was up and running, you probably would not
> have had any errors at all.
>
> Jason
>
> > -----Original Message-----
> > From: Victor Calzado Mayo [mailto:vcalzado@cnio.es]
> > Sent: Tuesday, March 11, 2003 11:31 AM
> > To: debian-security@lists.debian.org
> > Subject: Re: iptables and apt-get
> >
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Hi there
> > On Tuesday 11 March 2003 15:48, Ian Goodall wrote:
> > > All is fine now. Adding the line:
> > >
> > > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> > >
> > > fixes the problem. Does anyone know what this line does? I
> > found this using
> > > an online script generator at http://www.iptables.1go.dk/index1.php.
> >
> > You are probably using some ftp server in your sources.list,
> > ftp and probably
> > you are using the so called active ftp, in this kind of
> > connections server
> > itselft initiate data transfers conection with the client
> > host ( so , SYNs
> > are sended directly from server to client, and in a
> > fiweralled enviroment
> > they are dropped.
> >
> > The added rule takes care of this kind of conections telling
> > iptables that
> > SYNs sended from the ftp server to the client host are related to a
> > established ftp conection opened from the client host to the
> > server and
> > should be permited ( even when they come with a SYN request
> > from the server)
> > ( it acts like a state module ( somehow related to ip_masq
> > modules tu ftp,
> > quake o irc ) that ensure that this kind or conections ( that
> > used a range of
> > ports higher than 1023 , but not asigned until the conection
> > is established )
> >
> > I' ll hope it helps, excuse my english and have a look to
> > Netfilter Howto, any
> > good page about ftp server in firewalled enviroments will
> > help to. Have a
> > look at:
> >
> > http://slacksite.com/other/ftp.html
> >
> > And if you are very very interesting you can allways look for
> > the ftp rfc.
> >
> > >
> > > Thanks for all your help. This is the sort of thing that
> > this list should
> > > be used for instead of debating what should be on it / other spam :)
> > > ----- Original Message -----
> >
> >
> > Kind Regards
> > Victor
> >
> >
> > > From: "I.R.van Dongen" <vdongen@hetisw.nl>
> > > To: "Ian Goodall" <ijg@iangoodall.co.uk>
> > > Cc: <debian-security@lists.debian.org>
> > > Sent: Tuesday, March 11, 2003 12:59 PM
> > > Subject: Re: iptables and apt-get
> > >
> > > > iptables -A OUTPUT -p tcp -d <mirror>/32 --dport 80 -j ACCEPT
> > > >
> > > > On Tue, 11 Mar 2003 00:45:48 -0000
> > > >
> > > > "Ian Goodall" <ijg@iangoodall.co.uk> wrote:
> > > > > Hi Guys,
> > > > >
> > > > > I am setting up iptables on my debain woody box. I have
> > decided to
> > > > > close
> > >
> > > everyting and then open up just ssh and ssl. This obviously
> > prevents my
> > > apt-get update from working. What ports do I need to open
> > for this to work.
> > > If it helps I am going through a proxy to get to the internet.
> > >
> > > > > Thanks
> > > > >
> > > > > ijg0
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.0.6 (GNU/Linux)
> > Comment: For info see http://www.gnupg.org
> >
> > iD8DBQE+bguJEzqHF8R72ekRApCeAJ9xBSZUqs/4anueP+qUXevmwLMEdQCfTg43
> > NBzKsI3G9/3SKJN8+N2J540=
> > =opBe
> > -----END PGP SIGNATURE-----
> >
> >
> > --
> > To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> > with a subject of "unsubscribe". Trouble? Contact
> > listmaster@lists.debian.org
> >
>
>
> --
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org
>

Reply to:

References:
- RE: iptables and apt-get
  - From: "Desai, Jason" <jase@sensis.com>

Prev by Date: Re: OT: Consensus
Next by Date: Blocking sub-range of IP addresses
Previous by thread: RE: iptables and apt-get
Next by thread: AW: Peace is not off topic
Index(es):
- Date
- Thread