On Thu, 2004-09-23 at 21:56, Aleksandar Milivojevic wrote: > Quoting Dimitar Katerinski <train@xxxxxxx> > Date: Fri, 24 Sep 2004 01:02:11 > > > Sorry, a little bit off topic, but I allways go red about such kind of crappy > > rules: > > > > > Use DNAT target. In short what you need to do is: > > > > > > iptables -A FORWARD -m state --state NEW -j ACCEPT > > > > Do you know what you just did? You've just allowed any kind of > > connections, protocols to any port and from/to any destionation. Cute, > > isn't it? > > The above was an obvious typo that I made. It should have read ESTABLISHED, not > NEW, of course. It kinda suprised me that it took so long before anybody noticed. i regret not pointing out in my response that it was obvious to me that this was a typo, and not any reflection on the poster in any way, shape, or form. > Maybe yes, maybe no. The bottom line is that probability of somebody getting > burned by not using tcp-flags (or simply syn) option is quite low. But if > that's going to make you so much happier person, I can start typing mile long > examples instead of giving hints. precisely. the rules that get posted here are to illustrate the point, not our recommendations of what makes a perfect firewall. i know as well as anyone that the easiest path is to lurk and wait for typo to pounce upon. -j -- Jason Opperisano <opie@xxxxxxxxxxx>
