Le mer 24/12/2003 à 09:18, Vinayakam Murugan a écrit : > What I meant was is it safe to drop all new packets coming > in? Is that the usual practice? If you don't want incoming connections, you'll have to drop new packets coming in and it is safe to do so. Just keep your ruleset going. By the way, I have a comment on it. $IPT -A IN_FIREWALL -p tcp -m state --state \ ESTABLISHED,RELATED -j ACCEPT $IPT -A IN_FIREWALL -p udp -m state --state \ ESTABLISHED,RELATED -j ACCEPT $IPT -A IN_FIREWALL -j LOG --log-prefix "IPT IN_FIREWALL: " \ $LOGOPT $IPT -A IN_FIREWALL -j DROP It would be a good idea to let ICMP traffic go through, at least for RELATED packets that are ICMP errors generated by your own connections. $IPT -A IN_FIREWALL -p icmp -m state --state RELATED -j ACCEPT ESTABLISHED one are replies to ICMP requests (ping, timestamp, netmask and info). It's up to you to decide weither letting your firewall ping is a good idea or not. -- http://www.netexit.com/~sid/ PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE >> Hi! I'm your friendly neighbourhood signature virus. >> Copy me to your signature file and help me spread!
