On Sunday 28 March 2004 9:43 pm, David Cannings wrote:
> On Sunday 28 March 2004 20:52, Cody Harris wrote:
> > This is my firewall setup:
> > Chain FORWARD (policy ACCEPT)
> > target prot opt source destination
> > ACCEPT all -- anywhere anywhere
> > ACCEPT icmp -- anywhere anywhere icmp
> > echo-reply ACCEPT icmp -- anywhere anywhere
> > icmp destination-unreachable ACCEPT icmp -- anywhere
> > anywhere icmp redirect ACCEPT icmp -- anywhere
> > anywhere icmp echo-request ACCEPT icmp -- anywhere
> > anywhere icmp time-exceeded ACCEPT tcp --
> > anywhere 192.168.0.2 tcp dpt:ssh
> > We have noticed that ssh isn't getting forwarded. What's wrong?
>
> What about the replies from SSH which will come from source port 22?
> Either add a rule to explicitly allow from sport ssh or add an
> ESTABLISHED/RELATED rule in there.
That might be covered by the first rule:
> > ACCEPT all -- anywhere anywhere
We won't know until we see the output of a listing with -v to show us the
interfaces too.
However your point about there being no ESTABLISHED,RELATED rule is a good one
- it suggests that netfilter is not being used statefully, which means it is
very difficult to make the system (a) work and (b) secure at the same time.
Regards,
Antony.
--
Wanted: telepath. You know where to apply.
Please reply to the list;
please don't CC me.
