Am 20.12.22 um 23:55 schrieb ToddAndMargo:
On 12/20/22 12:01, Reindl Harald wrote:
you need exactly ONE "-m conntrack --ctstate RELATED,ESTABLISHED -j
ACCEPT" rule as the first of your ruleset which handles UDP and TCP
(aka don't specify -p)
[!] -p, --protocol protocol
The protocol of the rule or of the packet to check.
The specified protocol can be one of tcp, udp,
udplite, icmp, icmpv6,esp, ah, sctp, mh or
the special keyword "all"
Is leavingf off the "-p xxx" the same and "-p all"?
surely
If so, I am no sure tht I feel confortable opening
up "udplite, icmp, icmpv6, esp, ah, sctp, mh"
as well.
you do not open anything - when you don't even understand that
"RELATED,ESTABLISHED" only hits RESPONSE packets and so there must have
been any rule accepting the initial packet of a connection please
refrain for setup fireall rules
how do you imagine a ESTABLISHED state packet can exist in a protocl you
didn't accept the initial connect packet?
