Le vendredi 13 avril 2007 à 12:02 +0200, Hugo Mildenberger a écrit : > "iptables -A INPUT -m state --state ESTABLISHED, RELATED - j ACCEPT" > This means to allow inbound connections having nothing in common with the > initiating outbound connection, except for the ip-address pair used by the > initiating connection, leaving your nominal firewalled systems exposed to any > malicious site you accidentally stumble on, whereas using "ESTABLISHED" alone > here would restrict connections to be outbound only. On what ground do you base this statement ? AFAIK, RELATED state applies to: . expectations created by protocol helpers such as FTP or IRC, that therefore have "something in common with the initiating outbound connection"; . ICMP errors that match an existing conntrack entry, that again have a relation with previously allowed connections. Behaviour you're referring to applies to the first category. As I have not check the code recently, could you specificly point some modules that create such unexpected and lax expectations ? Thoses would indeed be a serious security issue to me. -- http://sid.rstack.org/ PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE >> Hi! I'm your friendly neighbourhood signature virus. >> Copy me to your signature file and help me spread!
