On Tuesday 09 December 2003 7:54 pm, Michael Gale wrote:
> Seems like a dumb question -- I guess what I really should be asking is how
> secure is "-m state --state ESTABLISHED" ?
As far as I'm aware, the strength of this rule is exactly the same as whatever
rules you have allowing NEW connections to become ESTABLISHED.
In other words, I think the simpler version of the rule is perfectly good
enough. Specifying things like the source port adds nothing, because the
connection tracking system is already based on {source,destination}{IP,port}.
If packets which you don't want seem to be coming in as ESTABLISHED, then
there's something wrong with what you accepted as NEW in the first place.
Antony.
--
If the human brain were so simple that we could understand it,
we'd be so simple that we couldn't.
Please reply to the list;
please don't CC me.
