On 2/26/23 16:57, Genes Lists wrote:
Are you saying you block not only inbound SYN packets, but also outbound
and/or every related, established connection?
This would mean you are unable to visit any EU website unless you first add
that website's specific IP(s) to your outbound whitelist? That would also
include of course the WKD web-server as well. If this is not the case then
perhaps something else is going on.
As I said, just trying to understand what you're doing that may be causing a
problem for you to pull a key from a web-server.
best
gene
Thanks for the reply Genes,
I block just inbound connections from the blocked address ranges using the
INPUT chain, all outbound addresses are available. (very unsophisticated
approach) I'll look at using a finer toothed comb for handling only new and
not related / established. That would solve the issue so long as the WKD
traffic would be considered related / established.
So the problem is the sync can contact wherever it is supposed to validate
the keys from, but iptables will not let the machine on the other end talk
back due to the DROP rule on the address range from the INPUT chain block.
--
David C. Rankin, J.D.,P.E.
