Hi , Basically , you are on the right "track" with your thoughts ... .... slight difference is that it will not match RELATED , but rather ESTABLISHED for most ( including TCP PORT 80 ) . So yes you may choose to "shorten" -A INPUT -p tcp --dport 80 -J ACCEPT -m conntrack --ctstate NEW -j ACCEPT -A INPUT -p tcp --dport 80 -J ACCEPT -j ACCEPT Just be aware like Neal Murphy wrote , that the last rules allows some states they you may not want to allow . ( mostly depending on how you have structured your rules prior to reaching this rule ) Best regards André Paulsberg-Csibi Senior Network Engineer IBM Services AS Sensitivity: Internal -----Opprinnelig melding----- Fra: netfilter-owner@xxxxxxxxxxxxxxx <netfilter-owner@xxxxxxxxxxxxxxx> På vegne av Stefanie Leisestreichler Sendt: mandag 15. oktober 2018 17.56 Til: netfilter@xxxxxxxxxxxxxxx Emne: Module conntrack question Hi. I have I a general question about module conntrack. Assumed I have a firewall rule allowing all -m conntrack --ctstate RELATED,ESTABLISHED packets. Also assumed I have another firewall rule with a simple definition like -A INPUT -p tcp --dport 80 -J ACCEPT with no -m conntrack --ctstate NEW -j ACCEPT. Will the traffic which wants to go to port 80 be identified as RELATED, even I did not use -m conntrack --ctstate NEW in my rule allow to talk to port 80? Or will the traffic be rejected since the NEW package was not handled by -m conntrack initially? Thanks Stefanie
