On Tue, Jul 05, 2005 at 11:57:37PM +1000, Daniel Pittman wrote:
As to trusting the firewall, or not, there has been at least one bug
where attackers could manipulate the content of the conntrack expect
table remotely. Other bugs, local or remote, are not out of the
No they're not. But if you cripple the firewall and rules to the extent
you're doing you might as well just not use connection tracking. You've
effectively turned the rules into stateless port filters anyway.