Re: firewall critique

To: Zachary Uram <netrek@gmail.com>
Cc: Debian Firewall User List <debian-firewall@lists.debian.org>, Debian Security User List <debian-security@lists.debian.org>
Subject: Re: firewall critique
From: Florian Weimer <fw@deneb.enyo.de>
Date: Thu, 07 May 2009 20:45:32 +0200
Message-id: <[🔎] 87bpq4ah0z.fsf@mid.deneb.enyo.de>
In-reply-to: <[🔎] ecfa260c0905061828q64113a18s527cd27f2ee9a5da@mail.gmail.com> (Zachary Uram's message of "Wed, 6 May 2009 21:28:29 -0400")
References: <[🔎] ecfa260c0905061828q64113a18s527cd27f2ee9a5da@mail.gmail.com>

* Zachary Uram:

> iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

You should restrict RELATED to ICMP.  For TCP and UDP, RELATED can
open up your internal network to the outside world (depending on what
firewall helpers you have loaded).

Reply to:

References:
- firewall critique
  - From: Zachary Uram <netrek@gmail.com>

Prev by Date: [SEC#MXE-2kFJA-894] [SECURITY] [DSA 1786-1] New acpid packages fix denial of service
Next by Date: Re: [SECURITY] [DSA 1789-1] New php5 packages fix several vulnerabilities
Previous by thread: Re: firewall critique
Next by thread: Re: [SECURITY] [DSA 1794-1] New Linux 2.6.18 packages fix several vulnerabilities
Index(es):
- Date
- Thread