No no. I have had been having the problem for quite a few days :( besides I also use the www.mirror.ac.uk service too! ----- Original Message ----- From: "Desai, Jason" <[EMAIL PROTECTED]> To: <debian-security@lists.debian.org> Sent: Tuesday, March 11, 2003 5:48 PM Subject: RE: iptables and apt-get
> Hi. My guess is that security.debian.org was not available when you tried > it (there were other posts to this list indicating that the server was > down). So you were getting icmp errors back. The RELATED state allows > this. If security.debian.org was up and running, you probably would not > have had any errors at all. > > Jason > > > -----Original Message----- > > From: Victor Calzado Mayo [mailto:[EMAIL PROTECTED] > > Sent: Tuesday, March 11, 2003 11:31 AM > > To: debian-security@lists.debian.org > > Subject: Re: iptables and apt-get > > > > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > Hi there > > On Tuesday 11 March 2003 15:48, Ian Goodall wrote: > > > All is fine now. Adding the line: > > > > > > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > > > > > > fixes the problem. Does anyone know what this line does? I > > found this using > > > an online script generator at http://www.iptables.1go.dk/index1.php. > > > > You are probably using some ftp server in your sources.list, > > ftp and probably > > you are using the so called active ftp, in this kind of > > connections server > > itselft initiate data transfers conection with the client > > host ( so , SYNs > > are sended directly from server to client, and in a > > fiweralled enviroment > > they are dropped. > > > > The added rule takes care of this kind of conections telling > > iptables that > > SYNs sended from the ftp server to the client host are related to a > > established ftp conection opened from the client host to the > > server and > > should be permited ( even when they come with a SYN request > > from the server) > > ( it acts like a state module ( somehow related to ip_masq > > modules tu ftp, > > quake o irc ) that ensure that this kind or conections ( that > > used a range of > > ports higher than 1023 , but not asigned until the conection > > is established ) > > > > I' ll hope it helps, excuse my english and have a look to > > Netfilter Howto, any > > good page about ftp server in firewalled enviroments will > > help to. Have a > > look at: > > > > http://slacksite.com/other/ftp.html > > > > And if you are very very interesting you can allways look for > > the ftp rfc. > > > > > > > > Thanks for all your help. This is the sort of thing that > > this list should > > > be used for instead of debating what should be on it / other spam :) > > > ----- Original Message ----- > > > > > > Kind Regards > > Victor > > > > > > > From: "I.R.van Dongen" <[EMAIL PROTECTED]> > > > To: "Ian Goodall" <[EMAIL PROTECTED]> > > > Cc: <debian-security@lists.debian.org> > > > Sent: Tuesday, March 11, 2003 12:59 PM > > > Subject: Re: iptables and apt-get > > > > > > > iptables -A OUTPUT -p tcp -d <mirror>/32 --dport 80 -j ACCEPT > > > > > > > > On Tue, 11 Mar 2003 00:45:48 -0000 > > > > > > > > "Ian Goodall" <[EMAIL PROTECTED]> wrote: > > > > > Hi Guys, > > > > > > > > > > I am setting up iptables on my debain woody box. I have > > decided to > > > > > close > > > > > > everyting and then open up just ssh and ssl. This obviously > > prevents my > > > apt-get update from working. What ports do I need to open > > for this to work. > > > If it helps I am going through a proxy to get to the internet. > > > > > > > > Thanks > > > > > > > > > > ijg0 > > -----BEGIN PGP SIGNATURE----- > > Version: GnuPG v1.0.6 (GNU/Linux) > > Comment: For info see http://www.gnupg.org > > > > iD8DBQE+bguJEzqHF8R72ekRApCeAJ9xBSZUqs/4anueP+qUXevmwLMEdQCfTg43 > > NBzKsI3G9/3SKJN8+N2J540= > > =opBe > > -----END PGP SIGNATURE----- > > > > > > -- > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > with a subject of "unsubscribe". Trouble? Contact > > [EMAIL PROTECTED] > > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] >
