On Mon, 2005-08-15 at 23:32 +1200, Michael Hallager wrote: > AS FOLLOWS: (Opps. my mistake!) > > -A INPUT -i lo -j ACCEPT > -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT > -A INPUT -d 202.150.101.225 -p tcp -m tcp --dport 22 -j ACCEPT > -A INPUT -d 202.150.101.225 -p tcp -m layer7 --l7proto smtp -m tcp --dport 25 > -j ACCEPT l7filtering is completly useless here. In fact l7 is able to detect a protocol after a few packets so your -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT take precedence over l7 rules. Furthermore (I may be mistaking) match is often done on reply thus filtering on OUTPUT is necessary. One other point is : why do you need to check the protocol running on your own computer ? BR, -- Eric Leblond <eric@xxxxxx> INL
Attachment:
signature.asc
Description: This is a digitally signed message part
