No, Look below
----- Original Message ----- From: "Emmanuel Fleury" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, June 07, 2002 11:31 AM Subject: Re: Security flaw in Stateful filtering ?????? > Henrik Nordstrom wrote: > > > > This configuration can be done just fine with iptables as demonstrated in my > > earlier message, but here we go again (but slightly different): > > > > # Allow existing connections > > iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT This line allows all connections that has a connection tracking entry which shows that the connection that the packet is part of is ESTABLISHED. RELATED means that if the packet is RELATED to a connection tracking entry, it will slipp through as well (i.e. FTP-Data is related to FTP-Control, and ICMP's may be related to TCP connections, etc.). In other words, the above line allows all packets that are not initiating a new connection to pass through the firewall. > > # Allow hidden net to initiate new connections (including connection pickup) > > iptables -A FORWARD -i eth0 -j ACCEPT _this_ line allows all packets from eth0 (probably your LAN) to pass through the firewall, including the packets opening a new connection. > > # Drop anything else > > iptables -A FORWARD -j DROP finally, we have a rule that DROP's all other packets, including packets from the internet trying to initiate a NEW connection. Does this make sense?=) Of course, note that this will _not_ block traffic directed to the actual firewall itself, but hosts behind the firewall. Oskar Andreasson http://www.boingworld.com http://people.unix-fu.org/andreasson/ mailto: [EMAIL PROTECTED] > > Sorry, I don't understand something ! :-/ > > Does that mean that you DROP all the ACKs, even those which are valid ? > > Regards > -- > Emmanuel > > I am not a vegetarian because I love animals; > I am a vegetarian because I hate plants. > -- A. Whitney Brown > > >
