On 5 Jul 2005, Paul Gear wrote:
> Daniel Pittman wrote:
>>> So, probably, the best way to go is allowing the R/E packets alongside their
>>> "new state" counterparts. It also clarifies where the packets are accepted
>>> and WHY. Also, "iptables -v" should be a lot more useful than before.
>> That was my point, basically. Thanks for actually saying it in a clear
>> and comprehensible fashion.
> Daniel, would you mind showing me an example of what you think is a
> wise/correct/whatever use of R/E rules?
Sure, no problem. What I am talking about is something like this set of
rules generated by firehol, to allow inbound http to the current
/sbin/iptables -t filter -A in_world_http_s1 -p tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
/sbin/iptables -t filter -A out_world_http_s1 -p tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
Note that for both directions firehol specifies the protocol and ports
that are valid. That, basically, is the restriction that I am talking
> The reason i'm trying to work through all of this is that i'm a
> Shorewall developer and would like to make sure it works in a way that
> makes security sense to other firewall users.
Sure. I am very glad to see y'all taking such an active interest in the
security of your package. It confirms my feeling that Shorewall is one
of the better options for Linux firewall management out there.
Most people's C programs should be indented
six feet downward and covered with dirt.
-- Blair P. Houghton