Am 16.10.20 um 11:34 schrieb Michael De Roover:
Interesting article, thanks for sharing this! I'm slightly confused
about some things in it though. Does this mean that any traffic will be
put on the connection tracker and be treated as stateful unless we use
CT --notrack, or can the kernel make a heuristic based on what's in the
iptables rule (i.e. if it only covers a port or a network range, it
must be stateless)
conntrack is *always* part of the game unless you set "notrck" in the
raw-table which is the only stateless one
raw -> mangle -> filter
at the point conntrack steps in the filter-table with your normal rules
is not part of the game at all
https://stuffphilwrites.com/wp-content/uploads/2014/09/FW-IDS-iptables-Flowchart-v2019-04-30-1.png
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
