Re: Firewall-troubleshooting

To: debian-security@lists.debian.org
Subject: Re: Firewall-troubleshooting
From: Michael Stone <mstone@debian.org>
Date: Tue, 05 Jul 2005 08:11:57 -0400
Message-id: <[🔎] 20050705121157.GS9591@mathom.us>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <[🔎] 87mzp1h37u.fsf@enki.rimspace.net>
References: <[🔎] 42C6FD25.20507@gmail.com> <[🔎] 87zmt4p4ry.fsf@enki.rimspace.net> <[🔎] da9l34$2k4$1@sea.gmane.org> <[🔎] 200507041645.48944.eloi.granado@millorsoft.net> <[🔎] 87ll4mjckl.fsf@enki.rimspace.net> <[🔎] dadng7$b3b$1@sea.gmane.org> <[🔎] 87mzp1h37u.fsf@enki.rimspace.net>

On Tue, Jul 05, 2005 at 10:00:53PM +1000, Daniel Pittman wrote:

/sbin/iptables -t filter -A in_world_http_s1 -p tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT/sbin/iptables -t filter -A out_world_http_s1 -p tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT


IMHO, this is fairly redundant (and inefficient) unless you don't trust
your firewall. (And in that case, why use it?) The examples of things
that might require additional checking (e.g., ftp data connection) are
arguably valid valid, but those are *RELATED* sessions, not
*ESTABLISHED* sessions. If you're going to do something like the above
you're better off just unloading the state module and setting up port
filters (which is effectively what you're doing).

Mike Stone

Reply to:

Follow-Ups:
- Re: Firewall-troubleshooting
  - From: Daniel Pittman <daniel@rimspace.net>
- Re: Firewall-troubleshooting
  - From: Eloi Granado <eloi.granado@millorsoft.net>

References:
- Firewall-troubleshooting
  - From: KC <sedebian@gmail.com>
- Re: Firewall-troubleshooting
  - From: Daniel Pittman <daniel@rimspace.net>
- Re: Firewall-troubleshooting
  - From: Paul Gear <paul@gear.dyndns.org>
- Re: Firewall-troubleshooting
  - From: Eloi Granado <eloi.granado@millorsoft.net>
- Re: Firewall-troubleshooting
  - From: Daniel Pittman <daniel@rimspace.net>
- Re: Firewall-troubleshooting
  - From: Paul Gear <paul@gear.dyndns.org>
- Re: Firewall-troubleshooting
  - From: Daniel Pittman <daniel@rimspace.net>

Prev by Date: Re: Firewall-troubleshooting
Next by Date: Re: Firewall-troubleshooting
Previous by thread: Re: Firewall-troubleshooting
Next by thread: Re: Firewall-troubleshooting
Index(es):
- Date
- Thread