Re: Is this firewall good enough?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



So to avoid loading the connection tracking module, I would put rules to
handle return packets in the proper chain.

eg: iptables -A tcp_packets -p tcp --sport 1024:65535 --dport 80 -j ACCEPT


That rule allows packets *to* port 80 - I was asking how you deal with *reply* packets - the ones *from* port 80 on the remote server.

Sorry, the OP was about packets to his box and not from replies from a box he is trying to access.


iptables -A tcp_packets -p --sport 80 --dport 1024:65535 -j ACCEPT


Then i put tcp/udp/icmp packets to the proper chain

eg: iptables -A INPUT -p tcp -j tcp_packets

You could make a catch all for return packets like:

iptables -A INPUT -p tcp ! --syn -j ACCEPT


You seem to be advocating not using the ESTABLISHED,RELATED match - which would render the firewall stateless (like ipchains) instead of stateful. That seems a backwards step to me - or have I misunderstood something?


Stateful is expensive. If you have a high traffic load, it is not worth it. The context is when the box is a server. If you are protecting your home box, by all means, use stateful.



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux