On Sun, 2005-02-13 at 07:28, Jose Maria Lopez Hernandez wrote: > El vie, 11-02-2005 a las 08:24 -0500, Jason Opperisano escribiÃ: > > # allow input packets that are part of an established connection > > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > > > > # allow HTTP requests in > > iptables -A INPUT -p tcp --syn --dport 80 -j ACCEPT > > Sorry, I've seen in some of your answers that you never use > -m state --state NEW. Could you tell me why? for the sake of clarity. when someone asks, "how do i allow http into my machine" it seems clearer to say: iptables -A INPUT -p tcp --syn --dport 80 -j ACCEPT rather than: iptables -A INPUT -m state --state NEW -p tcp --syn \ --sport 1024:65535 --dport 80 -j ACCEPT you're not going to make me add a disclaimer to all my posts that says "any rules are included to clarify a point of discussion. do not use the rules posted without understanding the full security implications of such an act. firewall rules lasting more than four hours require medical attention." > I am updating > my firewall and I'm very confused with this, because you > seem to know everything about Netfilter and iptables, heh heh--thanks, i needed a laugh. > and > I am using the NEW state in all my rules. Should I do it > or should I not? i do. > And by the way, should I use the --syn > flag? i do. -j -- "I'm not a bad guy! I work hard, and I love my kids. So why should I spend half my Sunday hearing about how I'm going to Hell?" --The Simpsons