On Fri, 2005-06-10 at 15:33 -0400, Jason Opperisano wrote: > > In practice I know that that's not true because when I use the first > > rule without accepting RELATED or ESTABLISHED, I *cannot* connect to > > sshd. When I add the RELATED,ESTABLISHED accept rule, I *can* connect to > > sshd. (And this is how I would expect it to work.) > > i would question your testing methodology, as you can run a functional > iptables firewall without using state matches at all. Hmm. True. I tested this before I sent the email and I had the following rules : -P INPUT DROP -P OUTPUT ACCEPT -A INPUT -i eth1 -p tcp --dport 22 -j ACCEPT # Skip a few rules that allow other services ; # these should not interfere the test I could not connect from any of my PC's. When I added : -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT I could connect from any of my PC's. > > So, what is the difference in specifying and not specifying --state NEW > > in a rule ? > > the difference is whether you want to match only NEW packets or not. > commercial firewalls like Cisco PIX and Check Point FW-1 enforce > something along the lines of: > > -p tcp --tcp-flags ALL SYN -m state --state NEW > > in the decision of whether a packet should be allowed to traverse the > filter rules or not. > > in the world of netfilter--you write the rules, you decide how specific > the match will be. if you want to say, this rule only matches NEW TCP > SYN packets, then use a construct like the above--you can even use > variables to simplify your scripts, like so: > > TCP_REQ="-p tcp --tcp-flags ALL SYN -m state --state NEW" > iptables -A INPUT $TCP_REQ --dport 22 -j ACCEPT === From next post === > just tested: > > # iptables-save > # Generated by iptables-save v1.3.1 on Sat Jun 11 01:47:21 2005 > *filter > :INPUT DROP [13:1519] > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [88:8463] > -A INPUT -p icmp -j ACCEPT > -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT > COMMIT > # Completed on Sat Jun 11 01:47:21 2005 > > i can both ping and ssh to this machine. the only thing i can > think of that would lead you to believe that you need the "--state > RELATED,ESTABLISHED" rule in INPUT is because without it--the replies > to the OUTPUT packets will be dropped. things like responses to DNS > queries which will make your ssh connection take much longer if you > have "UseDNS yes" in sshd_config. just a thought. <me slaps self with a big hammer> UseDNS *is* set... Thanks for explaining. Gr, Rob
