On 2008-10-31 daniel wrote: > iptables -A OUTPUT -p udp --dport 53 -j ACCEPT > iptables -A INPUT -p udp --sport 53 -m state --state ESTABLISHED,RELATED -j > ACCEPT
You need TCP for fully functional DNS as well. You should also allow some ICMP types. [...] > iptables -A INPUT -p tcp -m multiport --dports 22,80 -m state --state NEW -j > ACCEPT > iptables -A OUTPUT -p tcp -m multiport --sports 22,80 -m state --state > ESTABLISHED,RELATED -j ACCEPT What reasons are there to have --sport in the ESTABLISHED,RELATED rule? Making rules too specific will adversely affect maintenance. Regards Ansgar Wiechers -- "The Mac OS X kernel should never panic because, when it does, it seriously inconveniences the user." --http://developer.apple.com/technotes/tn2004/tn2118.html -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
