[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Firewall-troubleshooting

On Tue, Jul 05, 2005 at 10:00:53PM +1000, Daniel Pittman wrote:
/sbin/iptables -t filter -A in_world_http_s1 -p tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT /sbin/iptables -t filter -A out_world_http_s1 -p tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

IMHO, this is fairly redundant (and inefficient) unless you don't trust
your firewall. (And in that case, why use it?) The examples of things
that might require additional checking (e.g., ftp data connection) are
arguably valid valid, but those are *RELATED* sessions, not
*ESTABLISHED* sessions. If you're going to do something like the above
you're better off just unloading the state module and setting up port
filters (which is effectively what you're doing).

Mike Stone

Reply to: