On Tue, Jul 22, 2003 at 02:55:47AM -0700, Trevor Talbot wrote:Also note that most of your rules are a bit "loose" as far as TCP goes. The upside is that they'll pick up existing connections when you reboot/reconfigure the firewall, but you may want to get more control over which direction connections are initiated from by using "flags S/SA" with all of them. It depends on your situation; this is just a heads up.
I consider this flags filtering stupid.
Well true, if you aren't using modulate state, there isn't much point. Mark's situation could be handled with just rule reorganization. He currently has rules that catch both directions, and my impression is that he didn't really want connections being initiated in both directions. So I ended up suggesting that, instead of realizing both rules aren't necessary now that keep state is present.
