I think I am still a bit confused...I understand what you are saying about why established and related would be needed for return packets, except... For example on a Checkpoint or PIX you would NOT need the established or related rules. They are aware that a conversation has started and will let return packets in....of course, it is possible that there is an implicit rule on a Checkpoint or PIX that is "hidden" that allows established and related and the user just doesn't see this and in iptables you do...but I thought this was part of the state engine. Thanks again and sorry for my lack of understanding of the iptables code...however I think it's a fantastic security system, just trying to get my hands around it. Jeff Ginter, CISSP Computer Associates Mid-Atlantic Consulting Manager tel: +1 908 874-9726 cell: +1 609 577-1494 jeff.ginter@xxxxxx -----Original Message----- From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx [mailto:netfilter-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Daniel Lopes Sent: Friday, June 03, 2005 9:24 AM Cc: netfilter@xxxxxxxxxxxxxxxxxxx Subject: Re: 2 Questions--state (est, rel) and tuning Ginter, Jeff A schrieb: > Hello, > > > > I am brand new to the list and couldn't find an easy way to browse the > whole archive, so my apologies if this has been discussed (as it > probably has). > > > > I understand the state concepts, however, I keep seeing example iptable > scripts with the first rule in each chain being something like....ACCEPT > related and established packets. > > > > My first question is...Is that really needed? In my other experiences > with stateful firewalls this rule is not needed because the firewall > remembers the outgoing packet and the rule is implied...or do I have > this very wrong? > Hmm you often will see a default policy of DROP in the filter tables. So related to the strategy deny all allow needed. Then new connections from inside to outside are explicitly allowed with the NEW state. Then when answer packets come back in and reach a filter table and there is no rule to handle them they will be dropped. Therefor there are the EST. and REL. states to allow that packets because they should be save enough as new conns. are only allowed/initiated from inside to outside. Surely it doensn´t prevent a machine with a freaking worm to spread out ;). > > > > My second question, which may not be totally applicable for this list > is...I have my netfilter/iptables set up on a Redhat 4 Ent WS box...are > the following parameters for hardening still useful and applicable with > the current kernel and distro? > > > > net.ipv4.tcp_syncookies = 1 > net.ipv4.conf.all.accept_source_route = 0 > net.ipv4.conf.all.accept_redirects = 0 > net.ipv4.conf.all.rp_filter = 1 > net.ipv4.icmp_echo_ignore_all = 1 = 1 > net.ipv4.icmp_echo_ignore_broadcasts = 1 > net.ipv4.icmp_ignore_bogus_error_responses = 1 > net.ipv4.conf.all.log_martians = 1 > Yes they are. > > > Thanks very much for any help! > > > > > > > > Jeff Ginter, CISSP > > Computer Associates > > Mid-Atlantic Consulting Manager > > tel: +1 908 874-9726 > > cell: +1 609 577-1494 > > jeff.ginter@xxxxxx > > > > > >
