You could make a connection out to a remote server. That remote server
might try to make a connection back to us that has nothing to do with the
reason we connectd to them. But the server may see it as related and allow
it.
----- Original Message -----
From: "Antony Stone" <Antony@xxxxxxxxxxxxxxxxxxxx>
To: "netfilter" <netfilter@xxxxxxxxxxxxxxxxxxx>
Sent: Wednesday, June 30, 2004 1:17 PM
Subject: Re: track bandwith used
On Wednesday 30 June 2004 3:07 pm, Peter Marshall wrote:
> ya, that was great. I guess there was one thing that you said that
worried
> me ... you said almost all packets will match the ESTABLISHED,RELATED
check
> on the forwared chain ... would that not be a bad thing ... is it
dangerous
> to have RELATED as an option on the FORWARD CHAIN. ???
No, in fact it is essential for many purposes.
1. The FTP data channel will be matched as RELATED to the initial control
channel, so RELATED in FORWARD is needed if you are going to allow FTP.
2. ICMP error responses (usually seen in reply to UDP packets which fail for
some reason) match as RELATED, and (as is already being discussed on another
thread on this list), it is not a good idea to stop all ICMP packets from
getting through your firewall.
There are other examples of why RELATED packets are necessary, but these are
the most common and obvious ones.
You will generally find that all tutorials and netfilter examples match
ESTABLISHED and RELATED in the FORWARD chain.
What makes you think that RELATED is dangerous?
Regards,
Antony.
--
The words "e pluribus unum" on the Great Seal of the United States are from
a
poem by Virgil entitled "Moretum", which is about cheese and garlic salad
dressing.
Please reply to the
list;
please don't CC
me.
