Re: easiest way to shut down all network services besides ssh?

[Mart van de Wege <mvdwege@gmail.com>]

Reco <recoverym4n@gmail.com> writes:

<snip, I agree completely>>
>> The
>> RELATED,ESTABLISHED rule is only for stupid protocols like FTP, that
>> like to open new outbound connections in response to inbound requests.
>
> Not quite true. You forgot to take into account good old DNS, for
> example. Now, sure, DNS *is* stupid, but sshd relies on it to some
> extent. Or, say, NTP, which is UDP-based too.
>
Yah, I never run into that because I usually do this on my laptop, and
that has a local instance of bind running a slave of my own private zone
and a caching resolver. Slaving runs over an OpenVPN link using TCP, so
I can get by with an outbound ACCEPT policy.

But yeah, the most comprehensive policy runs a conntrack for related and
established outbound connections.

Mart

-- 
"We will need a longer wall when the revolution comes."
    --- AJS, quoting an uncertain source.