[Firehol-support] are the generated rules optimized?
Costa Tsaousis
costa at tsaousis.gr
Thu Mar 13 23:00:28 GMT 2003
Hi Bernhard,
The two are not the same. The first says allow ESTABLISHED connections
from/to specific ports, while the second says allow ALL ESTABLISHED
connections.
The second could mean that ESTABLISHED connections that the firewall
should not allow to be connected could remain operational when the
firewall is started/restarted.
FireHOL has been designed so that it can be restarted/modified on a
running system without allowing more than it should do and without
disruppting any running connections.
--
Costa Tsaousis
Bernhard Gruen said:
> Hi,
>
> I have a question about some generated rules on my firewall setup. There
> is a rule:
> -A in_home_samba_c21 -p tcp -m tcp --sport 139 --dport 1024:4999 -m
> state --state ESTABLISHED -j ACCEPT
>
> now I am thinking that a rule like
> -A in_home_samba_c21 --state ESTABLISHED, RELATED -j ACCEPT
> should do the same job? Am I right?
> I think this because a (related) packet that is from a established
> connection is already checked by the tcp/ip protocol (tcp sequence
> number and so on).
>
>
> Bernhard
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by:Crypto Challenge is now open!
> Get cracking and register here for some mind boggling fun and
> the chance of winning an Apple iPod:
> http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en
> _______________________________________________
> Firehol-support mailing list
> Firehol-support at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/firehol-support
More information about the Firehol-support
mailing list