On Wed, 1 Jun 2022 15:02:10 -0400 rhkra...@gmail.com wrote: > > mick crane <mick.cr...@gmail.com> wrote: > > > regarding firewall discussion I'm uncertain how firewalls are > > > supposed to work. > > > I think the idea is that nothing is accepted unless it is in > > > response to a request. > > > What's to stop some spurious instructions being sent in response > > > to genuine request? > > Just for the record, what you described (nothing is accepted unless > it is in response to a request) is more like the way that NAT worked > (at least in its original incarnations). (I say it that way because > I haven't kept up with NAT, so don't know how it may have changed). >
It still should, with exceptions for certain special cases that use a second (usually data) channel that has to be associated with the request. FTP and many older VPNs are of this kind. An iptables-based firewall does the same (it can also do NAT) if a RELATED rule exists. If there is no such rule, only packets explicitly listed in the firewall code will be allowed in. This is necessary with unsolicited packets i.e. the protocols allowed to bypass the firewall e.g. ssh. But the OP asked about malicious reply data, and neither iptables nor NAT are equipped to detect this. Either a filtering proxy server (e.g. http://e2guardian.org/cms/index.php) or the original requesting application must deal with this. -- Joe
