On 5 Jul 2005, Eloi Granado wrote:
> On Sunday, 3 de July de 2005 23:24, Paul Gear wrote:
>> Daniel Pittman wrote:
>>> It also tends to encourage "shortcuts" in the firewall, like accepting
>>> any RELATED/ESTABLISHED packets,
>> Am i right in understanding that you consider accepting
>> RELATED/ESTABLISHED packets a bad thing?
> It simplifies the deployment of handcrafted firewalls, but it can strike back
> when you want to control certain things. Specially when allowing R/E packets
> is the first thing you do.
> For example, time dependant rules like "allow navigation/ftp from 14 to 16
> hours" translate into allowing NEW connections like "allow new ftp
> connections from 14 to 16, and let them stay open for ever". Obviously,
> that's not what you probably meant when writting those time based
Hrm. There you go: a problem I hadn't considered for the blanket
accept all R/E.
> So, probably, the best way to go is allowing the R/E packets alongside their
> "new state" counterparts. It also clarifies where the packets are accepted
> and WHY. Also, "iptables -v" should be a lot more useful than before.
That was my point, basically. Thanks for actually saying it in a clear
and comprehensible fashion.
He uses hate as a weapon to defend himself; had he been strong,
he would never have needed that kind of weapon.
-- Kahlil Gibran