On Tue, Jul 05, 2005 at 10:00:53PM +1000, Daniel Pittman wrote:
/sbin/iptables -t filter -A in_world_http_s1 -p tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT /sbin/iptables -t filter -A out_world_http_s1 -p tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
IMHO, this is fairly redundant (and inefficient) unless you don't trust your firewall. (And in that case, why use it?) The examples of things that might require additional checking (e.g., ftp data connection) are arguably valid valid, but those are *RELATED* sessions, not *ESTABLISHED* sessions. If you're going to do something like the above you're better off just unloading the state module and setting up port filters (which is effectively what you're doing). Mike Stone -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
