RE: iptables and apt-get
Hi. My guess is that security.debian.org was not available when you tried
it (there were other posts to this list indicating that the server was
down). So you were getting icmp errors back. The RELATED state allows
this. If security.debian.org was up and running, you probably would not
have had any errors at all.
Jason
> -----Original Message-----
> From: Victor Calzado Mayo [mailto:vcalzado@cnio.es]
> Sent: Tuesday, March 11, 2003 11:31 AM
> To: debian-security@lists.debian.org
> Subject: Re: iptables and apt-get
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi there
> On Tuesday 11 March 2003 15:48, Ian Goodall wrote:
> > All is fine now. Adding the line:
> >
> > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> >
> > fixes the problem. Does anyone know what this line does? I
> found this using
> > an online script generator at http://www.iptables.1go.dk/index1.php.
>
> You are probably using some ftp server in your sources.list,
> ftp and probably
> you are using the so called active ftp, in this kind of
> connections server
> itselft initiate data transfers conection with the client
> host ( so , SYNs
> are sended directly from server to client, and in a
> fiweralled enviroment
> they are dropped.
>
> The added rule takes care of this kind of conections telling
> iptables that
> SYNs sended from the ftp server to the client host are related to a
> established ftp conection opened from the client host to the
> server and
> should be permited ( even when they come with a SYN request
> from the server)
> ( it acts like a state module ( somehow related to ip_masq
> modules tu ftp,
> quake o irc ) that ensure that this kind or conections ( that
> used a range of
> ports higher than 1023 , but not asigned until the conection
> is established )
>
> I' ll hope it helps, excuse my english and have a look to
> Netfilter Howto, any
> good page about ftp server in firewalled enviroments will
> help to. Have a
> look at:
>
> http://slacksite.com/other/ftp.html
>
> And if you are very very interesting you can allways look for
> the ftp rfc.
>
> >
> > Thanks for all your help. This is the sort of thing that
> this list should
> > be used for instead of debating what should be on it / other spam :)
> > ----- Original Message -----
>
>
> Kind Regards
> Victor
>
>
> > From: "I.R.van Dongen" <vdongen@hetisw.nl>
> > To: "Ian Goodall" <ijg@iangoodall.co.uk>
> > Cc: <debian-security@lists.debian.org>
> > Sent: Tuesday, March 11, 2003 12:59 PM
> > Subject: Re: iptables and apt-get
> >
> > > iptables -A OUTPUT -p tcp -d <mirror>/32 --dport 80 -j ACCEPT
> > >
> > > On Tue, 11 Mar 2003 00:45:48 -0000
> > >
> > > "Ian Goodall" <ijg@iangoodall.co.uk> wrote:
> > > > Hi Guys,
> > > >
> > > > I am setting up iptables on my debain woody box. I have
> decided to
> > > > close
> >
> > everyting and then open up just ssh and ssl. This obviously
> prevents my
> > apt-get update from working. What ports do I need to open
> for this to work.
> > If it helps I am going through a proxy to get to the internet.
> >
> > > > Thanks
> > > >
> > > > ijg0
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.6 (GNU/Linux)
> Comment: For info see http://www.gnupg.org
>
> iD8DBQE+bguJEzqHF8R72ekRApCeAJ9xBSZUqs/4anueP+qUXevmwLMEdQCfTg43
> NBzKsI3G9/3SKJN8+N2J540=
> =opBe
> -----END PGP SIGNATURE-----
>
>
> --
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
>
Reply to: