Re: Firewall-troubleshooting

[Daniel Pittman <daniel@rimspace.net>]

On 5 Jul 2005, Eloi Granado wrote:
> On Sunday, 3 de July de 2005 23:24, Paul Gear wrote:
>> Daniel Pittman wrote:
>>> It also tends to encourage "shortcuts" in the firewall, like accepting
>>> any RELATED/ESTABLISHED packets,
>>
>> Am i right in understanding that you consider accepting
>> RELATED/ESTABLISHED packets a bad thing?
>
> It simplifies the deployment of handcrafted firewalls, but it can strike back
> when you want to control certain things. Specially when allowing R/E packets 
> is the first thing you do.
>
> For example, time dependant rules like "allow navigation/ftp from 14 to 16
> hours" translate into allowing NEW connections like "allow new ftp 
> connections from 14 to 16, and let them stay open for ever". Obviously, 
> that's not what you probably meant when writting those time based
> rules.

Hrm.  There you go:  a problem I hadn't considered for the blanket
accept all R/E.

[...]

> So, probably, the best way to go is allowing the R/E packets alongside their
> "new state" counterparts. It also clarifies where the packets are accepted 
> and WHY. Also, "iptables -v" should be a lot more useful than before.

That was my point, basically. Thanks for actually saying it in a clear
and comprehensible fashion.

	Daniel

-- 
He uses hate as a weapon to defend himself; had he been strong,
he would never have needed that kind of weapon.
        -- Kahlil Gibran