Hello, Grant Taylor a écrit :
I personally have known that using "-m state --state ESTABLISHED,RELATED" was not the most secure thing to use for returning traffic. Namely this will allow you to make a valid connection to a web server, say to retrieve a picture. Then said web server could send malicious traffic back to your computer and pass through your firewall. This is because the traffic coming from the web server to your computer is now deemed as RELATED.
I do not agree with this. AFAIK the only traffic that can be labelled RELATED to an HTTP connection or any "simple" TCP or UDP or whatever connection (not special protocols such as FTP) is some ICMP signalling messages. This said, I do filter out some RELATED ICMP types I do not like.
"Hole punching" is a completely different thing and requires active cooperation from the inside.
