Pascal Hambourg wrote: > Franck Joncourt a écrit : >> Andrey Kozlov wrote: >> >>> with use connection tracking you can define common rules for ongoing >>> traffic on top of you rule set: >>> >>> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT >>> iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT >>> >>> and then add specific rules for any required services, e.g.: >>> >>> iptables -A OUTPUT -o eth0 -p tcp --sport $UNPRIVPORTS \ >>> -d pop.mail.yahoo.co.uk --dport 110 -m state --state NEW -j ACCEPT >>> >>> iptables -A OUTPUT -o eth0 -p tcp --sport $UNPRIVPORTS \ >>> -d pop.1and1.fr --dport 110 -m state --state NEW -j ACCEPT >>> >> >> So it means, I accept both 'established' and 'related' connections >> from/to any ports. > > Not only any ports but also any protocol, including DNS replies, ICMP > replies and error notifications... without the need to explicitly allow > each of them. That's why most stateful filtering setups use these kind > of rules. I use a slightly modified version of these rules myself (there > are some RELATED ICMP types I don't want to accept). > >> Then, I allow 'new' connections to port 110 (for >> pop.1and1.fr and pop.mail.yahoo.co.uk). > > Yes. So instead of setting up rules for original and return trafic, you > just need to set up one rule for the original traffic. > >> In the end, 'established' or 'related' connections from/to port 4895, >> for instance, will be accept, as well. > > Only after they have been first accepted as NEW. > >> Unless I am wrong, it is not really interesting in the case I have got a >> mistake in my firewall, and accept 'new' connections from/to port 4895. >> I allow more than I should without any reason. > > Why would you have a mistake in your firewall and accept explicitly > traffic that you don't actually want to accept ? > >
You are right, there is no reason to have a mistake in my firewall ; I just pointed out that in this case you only rely on one rule to block outgoing traffic. In my config file, I do not trust anything. Therefore, I drop everything and explicitly allow what I need one by one. So, it makes it a bit messy :(! I try to understand the rules I use, in order to get something strong ; I did not see why I should have allowed rules I did not want. But, according to you, it seems to be enough. In theory, I agree with you. As I do not want to use stuff like shorewall, firestarter ... I will take your remarks in count, have a better look at my firewall, and clean it out. I thank you again. -- Franck Joncourt http://www.debian.org http://smhteam.info/wiki/ GPG server : pgpkeys.mit.edu Fingerprint : C10E D1D0 EF70 0A2A CACF 9A3C C490 534E 75C0 89FE ___________________________________________________________ Copy addresses and emails from any email account to Yahoo! Mail - quick, easy and free. http://uk.docs.yahoo.com/trueswitch2.html -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
