> Message: 8 > From: Henrik Nordstrom <[EMAIL PROTECTED]> > Organization: MARA Systems AB > To: Jin Hong <[EMAIL PROTECTED]>, [EMAIL PROTECTED] > Subject: Re: [Bridge] conn-track ESTABLISED matching everthing > Date: Mon, 17 Dec 2001 09:37:05 +0100 > > On Monday 17 December 2001 08.57, Jin Hong wrote: > > iptables -F FORWARD > > iptables -P FORWARD DROP > > iptables -A -i eth1 -o eth0 -j ACCEPT > > iptables -A -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j > > ACCEPT > > > > Then, I have a simple setup, where > > 1) my inside users can do anything, including active ftp > > 2) and nothing initiated from the outside (except for ftp data > > connection and some ICMP packets) is allowed. ( even e-mail > > can't come in ) > > > > Correct? > > Correct. Only thing missing now is traffic to/from the local machine. For a > start, there may be RELATED packets generated by the firewall, and you should > allow these as well. A simple way to do this is to ignore the interfaces on > the ESTABLISHED,RELATED rule.
Hi! I am a little bit confused here... I thought all locally generated IP-traffic was only checked against INPUT and OUTPUT chain (iptables) so shouldnt a rule allowing ICMP packets (related to bridged connections) be added to OUTPUT and not to the FORWARD rule? cu. Tim _______________________________________________ Bridge mailing list [EMAIL PROTECTED] http://www.math.leidenuniv.nl/mailman/listinfo/bridge
