On Thursday 04 July 2002 9:04 pm, Paul Dunphy wrote: > Hi Everyone, > > I'm new to stateful firewalls (can you tell?!), and I have a couple of > iptables-related questions: > > Question 1: > > Is there any reason to itemize the established connections > one by one, or can I simply allow all ESTABLISHED connections through from > the outside, and rely on the internal-external chain to limit the type of > connections that can be initiated from inside? Is one way more secure than > the other?
Just use a single rule. No more or les secure than multiple rules, but a LOT easier to read. > Question 2: > > Another related question: If I want to use "-m state --state ESTABLISHED" > as I'm doing above in the external-internal chain, do I also have to > specify "-m state" or "-m state NEW" in the internal-external chain so that > the state of the connection will be tracked, or will it simply work the way > it is written above? (Are all connections tracked?) It'll work as you wrote it, and again it's easier to read than specifying the state. By the way, don't forget to allow RELATED connections as well - these include important things like ICMP messages, without which your network may have problems. Antony.
