On Tue, 28 Oct 2003, Knight, Steve wrote: > I get the picture - so you can have "external-SSHD-access" chain, and > "external-SMTP-access" chain, rather than a huge pile of rules which you > could risk blamming, in a rushed moment. > > I have mr Ziegler's esteemed tome [it seemed to be v highly regarded after a > snoop around googly groups] and it's damn fine, it's what I'm working from > to configure my fw. Its so rigorous though that I can get easily lost in > there! > > Sorry for the ultra-lamer question now... > > is it the case that for each rule on the INPUT chain you must have the > corresponding OUTPUT rule also? i.e. if I say > > <pseudocode> > Accept from ANYWHERE spt:1024...65535 LOCALHOST dpt:22 > </pseudocode> > > Do I also have to put a corresponding response rule in --- > > Accept from LOCALHOST spt:22 ANYWHERE dpt:1024...65535 > > In order to allow the response through? > OR does the fact I've put an "accept from anywhere to SSHD" rule, imply that > I want to allow the service to respond. > > Again, sorry for what seems like an ultra stupid question, but it's not 100% > clearly stated in ziegler, at least after two reads of the relevant chapter. what you want in ziegler is in the middle of p. 120 -- the rules to allow all incoming and outgoing traffic that's RELATED,ESTABLISHED. what those rules do is allow all traffic in either direction that's *related* to an existing connection. so you just need to set up your rules to allow/deny the *initial* request, and those two rules will automatically use connection tracking to allow subsequent traffic that's related to that original request. rday