On Monday 2011-02-07 13:22, Carlos Cruz Luengo wrote: >Hi, > >I am writing a firewall script and I have run into a doubt. Is it >correct to allow already established and related connections by a set >of rules like these at the beginning of the script... > >iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT >iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT >iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT > >... and then only take care of NEW connections? You can do all the things you want. Early exclusion is however nothing new. The concept is http://iq0.com/notes/deep.nesting.html ("Else considered harmful") and is also advocated by http://jengelh.medozas.de/documents/Perfect_Ruleset.pdf -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
