On Tuesday 08 June 2004 9:11 pm, Feizhou wrote:
That rule allows packets *to* port 80 - I was asking how you deal with *reply* packets - the ones *from* port 80 on the remote server.
iptables -A tcp_packets -p --sport 80 --dport 1024:65535 -j ACCEPT
whoops, that should be:
iptables -A tcp_packets -p --sport 80 --dport 1024:65535 ! --syn -j ACCEPT
:P
That is not my idea of a secure firewall rule - you are allowing an external scanner / attacker to access the machine on any TCP port from 1024 to 65535, simply by setting their source port to 80.
Sheesh - we might as well go back to stateless routers with access control lists.
My problems could be related to hardware not being powerful enough. It does show though that there is a cost to stateful modules we have.
