[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: How to tell if a Linux machine is a zombie?

On Wed, Jan 10, 2007 at 11:23:29AM -0800, Paul Johnson wrote:
> Douglas Tutty wrote:
> 
> > On Tue, Jan 09, 2007 at 11:23:56AM -0800, Paul Johnson wrote:
> >
> >> Douglas Tutty wrote:
> >>
> >> > I use shorewall with default block everything all directions then open
> >> > things up as needed.
> >> 
> >> I bet you have a rule someplace that allows outgoing traffic that's part
> >> of an existing connection.
> > 
> > Not that I specifically put in.  I __think__ that's part of the
> > netfilter stuff directly. I just checked my shorewall configs and 
> > there's nothing there allowing anything from the net and very specific
> > stuff out.
> 
> I think shorewall assumes that you don't really want to block /all/ outbound
> traffic and does the right thing, then.
 
Before you assume this, you should check the netfilter docs.  If by
default I block all outgoing and incomming connections then there's no
way to establish an 'existing' connection in the first place.  If I
allow outgoing http requests then the data is allowed back in without me
opening the http port to allow incoming requests.  That's the heart of
netfilter.

Doug.
Reply to: