Hi! On Tuesday 05 July 2005 14:00, Daniel Pittman wrote: > /sbin/iptables -t filter -A in_world_http_s1 -p tcp --sport 1024:65535 > --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT > /sbin/iptables -t filter -A out_world_http_s1 -p tcp --sport 80 --dport > 1024:65535 -m state --state ESTABLISHED -j ACCEPT
Note that if you don't allow RELATED packets for _all_ connections, you will have to explicitly allow at least fragmentation-needed icmp packets. Otherwise you will get problems with PMTU discovery which will lead to other obscure problems. Allowing some other icmp packets is probably a good idea as well (e.g. all destination-unreachable packets). Cheers, Stefan -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
