On Tue, Jul 05, 2005 at 11:57:37PM +1000, Daniel Pittman wrote:
As to trusting the firewall, or not, there has been at least one bug where attackers could manipulate the content of the conntrack expect table remotely. Other bugs, local or remote, are not out of the question.
No they're not. But if you cripple the firewall and rules to the extent you're doing you might as well just not use connection tracking. You've effectively turned the rules into stateless port filters anyway. Mike Stone