Daniel Pittman wrote: > ... >>Am i right in understanding that you consider accepting >>RELATED/ESTABLISHED packets a bad thing? > > > No. Accepting *any* RELATED/ESTABLISHED packets is, though, if someone > finds an attack to generate entries in the conntrack table. Like, say, > the active FTP NAT PORT bug from quite some time ago, which would allow > remote attackers to do just that. :) > > Limiting the RELATED/ESTABLISHED packets to what you actually expect > (part of an established connection to a service you actually use) is a > more secure policy. I mustn't be understanding you here. Isn't the very definition of RELATED/ESTABLISHED that the packet is part of an established connection to a service actually used? How would you expect a RELATED/ESTABLISHED rule to be used, and how does this contrast with the way that shorewall or the OP's script works (i'm not sure which one you're inferring is not using RELATED/ESTABLISHED in the preferred way)? -- Paul <http://paulgear.webhop.net> -- Did you know? If you use two dashes followed by a space as your signature separator, good email programs will chop them off automatically, reducing noise in email replies.
Description: OpenPGP digital signature