On Monday 17 December 2001 08.57, Jin Hong wrote: > iptables -F FORWARD > iptables -P FORWARD DROP > iptables -A -i eth1 -o eth0 -j ACCEPT > iptables -A -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j > ACCEPT > > Then, I have a simple setup, where > 1) my inside users can do anything, including active ftp > 2) and nothing initiated from the outside (except for ftp data > connection and some ICMP packets) is allowed. ( even e-mail > can't come in ) > > Correct?
Correct. Only thing missing now is traffic to/from the local machine. For a start, there may be RELATED packets generated by the firewall, and you should allow these as well. A simple way to do this is to ignore the interfaces on the ESTABLISHED,RELATED rule. > I'll just memorize that "ESTABLISHED" requires "RELATED". > > What about the other way around? > Does "RELATED" need "ESTABLISHED"? If you want to support helper connections yes. -> iptables -F FORWARD > iptables -P FORWARD DROP > iptables -A -i eth1 -o eth0 -j ACCEPT > iptables -A -i eth0 -o eth1 -p tcp ! --syn --sport 1024: --dport 1024: > -j ACCEPT > iptables -A -i eth0 -o eth1 -p tcp -m state --state RELATED -j ACCEPT > iptables -A -i eth0 -o eth1 -p tcp ! --syn --sport ftp-data --dport > 1024: -j ACCEPT Why resort to stupid packet filtering when you have connection tracking in netfilter? Your rule set will let tru a lot more stuff than the connection based filters. For example, a number of scanning methods are now allowed allowing your network to be probed on which stations are up/down, running X or other services on "high" ports etc. > Notice that I don't have "ESTABLISHED" in the 5-th line. > Then I would guess that > line 4 allows passive ftp, > line 5 allows the syn packet for active ftp, and > line 6 allows the rest of active ftp to continue. > > Is line 6 unneccessary? Yes, if you don't want to use the much smarter conntrack. Also, your "proposed ruleset" does not allow established FTP control channel or HTTP traffic or any other traffic where the server runs on a low port, so I don't think your users will be very happy. (line 4 only allows high source ports) > Does "RELATED" match related "new" connections, > or all subsequent packets in the (established) related connection? similar to "new", when there is such a concept for the related traffic. Regards Henrik _______________________________________________ Bridge mailing list [EMAIL PROTECTED] http://www.math.leidenuniv.nl/mailman/listinfo/bridge
