Grant Taylor schrieb:
I personally have known that using "-m state --state
ESTABLISHED,RELATED" was not the most secure thing to use for returning
traffic.
Actually, what the described method accomplishes is not defeating the
"firewall" part, but the "NAT" part. If one of the hosts was not behind
a NAT, the traffic would flow even with ESTABLISHED,RELATED, because it
belongs to active "connection".
Namely this will allow you to make a valid connection to a web
server, say to retrieve a picture. Then said web server could send
malicious traffic back to your computer and pass through your firewall.
Please note it does not allow you to create a new connection, just use
POTENTIAL connections that wouldn't work due to NAT.
Grant. . . .
Yours sincerely,
Peter
--
http://www.shurdix.org - Linux distribution for routers and firewalls
_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
