Franck Joncourt a écrit :
Andrey Kozlov wrote:with use connection tracking you can define common rules for ongoing traffic on top of you rule set: iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT and then add specific rules for any required services, e.g.: iptables -A OUTPUT -o eth0 -p tcp --sport $UNPRIVPORTS \ -d pop.mail.yahoo.co.uk --dport 110 -m state --state NEW -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --sport $UNPRIVPORTS \ -d pop.1and1.fr --dport 110 -m state --state NEW -j ACCEPTSo it means, I accept both 'established' and 'related' connections from/to any ports.
Not only any ports but also any protocol, including DNS replies, ICMP replies and error notifications... without the need to explicitly allow each of them. That's why most stateful filtering setups use these kind of rules. I use a slightly modified version of these rules myself (there are some RELATED ICMP types I don't want to accept).
Then, I allow 'new' connections to port 110 (for pop.1and1.fr and pop.mail.yahoo.co.uk).
Yes. So instead of setting up rules for original and return trafic, you just need to set up one rule for the original traffic.
In the end, 'established' or 'related' connections from/to port 4895, for instance, will be accept, as well.
Only after they have been first accepted as NEW.
Unless I am wrong, it is not really interesting in the case I have got a mistake in my firewall, and accept 'new' connections from/to port 4895. I allow more than I should without any reason.
Why would you have a mistake in your firewall and accept explicitly traffic that you don't actually want to accept ?
-- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
