On Fri, Dec 05, 2003 at 12:43:10PM -0700, Michael Gale wrote: > > What about OUTPUT ? > > You should block everything in every direction and then allow what you want per interface. In general, yes. This would be the best (although, a bit more work) solution. Usually the inside endpoints are the clients connecting to the outside services which leads you to do "-p tcp/udp -o EXT -sport 1023: -j ACCEPT" however, a hacker might run services inside on a high port and regularly initiate outgoing traffic to a wel-defined IP/port which makes the firewall add this to its internal conntrack then they would come in from that IP/port. That's why you need to do some sanity checks for syn packets in ESTABLISHED state along with many more other checks. Most of the time, however, the OUTPUT and the outgoing FORWARD is relaxed just because of the (false) assumption that the harm comes from outside. Ramin > Michael.
