On Sun, 2005-02-13 at 07:28, Jose Maria Lopez Hernandez wrote:
> El vie, 11-02-2005 a las 08:24 -0500, Jason Opperisano escribiÃ:
> > # allow input packets that are part of an established connection
> > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> >
> > # allow HTTP requests in
> > iptables -A INPUT -p tcp --syn --dport 80 -j ACCEPT
>
> Sorry, I've seen in some of your answers that you never use
> -m state --state NEW. Could you tell me why?
for the sake of clarity. when someone asks, "how do i allow http into
my machine" it seems clearer to say:
iptables -A INPUT -p tcp --syn --dport 80 -j ACCEPT
rather than:
iptables -A INPUT -m state --state NEW -p tcp --syn \
--sport 1024:65535 --dport 80 -j ACCEPT
you're not going to make me add a disclaimer to all my posts that says
"any rules are included to clarify a point of discussion. do not use
the rules posted without understanding the full security implications of
such an act. firewall rules lasting more than four hours require
medical attention."
> I am updating
> my firewall and I'm very confused with this, because you
> seem to know everything about Netfilter and iptables,
heh heh--thanks, i needed a laugh.
> and
> I am using the NEW state in all my rules. Should I do it
> or should I not?
i do.
> And by the way, should I use the --syn
> flag?
i do.
-j
--
"I'm not a bad guy! I work hard, and I love my kids. So why should
I spend half my Sunday hearing about how I'm going to Hell?"
--The Simpsons
