On Fri, Feb 28, 2014 at 3:52 PM, Chuck Anderson <[email protected]> wrote:
> On Fri, Feb 28, 2014 at 12:14:30PM -0500, John P. Rouillard wrote: > > I have not seen this, but you could simplify the rule and remove > > > > "-m state --state NEW" > > > > for testing to see if the problem goes away. That should eliminate any > > issues with the state setup and allow all ldap traffic to pass > > through. > > I vote for this as a permanent solution. Why would you want netfilter > to track state on inbound connections to a server in most cases? Are > you also filtering outbound replies or do you have a default-allow > outbound ruleset? > > Agreed there. I don't think we do care about state for a lot of the applications we run. They're locked down to a particular set of hosts that we trust. With a default policy of rejecting packets, we do, however, need a way to allow return traffic, and with a firewall, allowing all established/related traffic is important. Gotta be stateful for that. It's been a while since we've looked deeply at how we manage our host-based firewalls (if it doesn't break, it doesn't always get attention), so this is a good opportunity to question ourselves. John
_______________________________________________ bblisa mailing list [email protected] http://www.bblisa.org/mailman/listinfo/bblisa
