also sprach Pascal Hambourg <[EMAIL PROTECTED]> [2006.07.04.1222 +0200]: > > -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT > > -A INPUT -m conntrack --ctstate NEW -p tcp --syn -j open-tcp-ports > > -A INPUT -m conntrack --ctstate NEW -p udp -j open-udp-ports > > > > -A open-tcp-ports --dport 22 -j ACCEPT > > Yes. You just need to add the protocol match (-p tcp) again, because the > --dport match is valid only with TCP and UDP.
Right. One other question before I go and try out what I learnt today: on the basis that it's not okay to drop bad packets before accepting good packets, the following would not be okay even though they're logically equivalent? accept ESTABLISHED,RELATED drop INVALID accept NEW --dport ssh --syn drop and accept ESTABLISHED,RELATED drop INVALID drop ! NEW drop ! --syn accept --dport ssh drop ? Thanks guys for your patience. ... and I thought I had moderately understood this stuff. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' : proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system "an intellectual is someone who has found something more interesting than sex." -- edgar wallace
signature.asc
Description: Digital signature (GPG/PGP)
