Re: How to tell if a Linux machine is a zombie?
On Wed, Jan 10, 2007 at 11:23:29AM -0800, Paul Johnson wrote:
> Douglas Tutty wrote:
>
> > On Tue, Jan 09, 2007 at 11:23:56AM -0800, Paul Johnson wrote:
> >
> >> Douglas Tutty wrote:
> >>
> >> > I use shorewall with default block everything all directions then open
> >> > things up as needed.
> >>
> >> I bet you have a rule someplace that allows outgoing traffic that's part
> >> of an existing connection.
> >
> > Not that I specifically put in. I __think__ that's part of the
> > netfilter stuff directly. I just checked my shorewall configs and
> > there's nothing there allowing anything from the net and very specific
> > stuff out.
>
> I think shorewall assumes that you don't really want to block /all/ outbound
> traffic and does the right thing, then.
Before you assume this, you should check the netfilter docs. If by
default I block all outgoing and incomming connections then there's no
way to establish an 'existing' connection in the first place. If I
allow outgoing http requests then the data is allowed back in without me
opening the http port to allow incoming requests. That's the heart of
netfilter.
Doug.
Reply to: