Caitlin Bestler wrote:
David S. Miller wrote:
I personally think allowing sockets to trump firewall rules
is an acceptable relaxation of the rules in order to simplify
the implementation.
I agree. I have never seen a set of netfilter rules that
would block arbitrary packets *within* an established connection.
Technically you can create such rules, but every single set
of rules actually deployed that I have ever seen started with
a rule to pass all packets for established connections, and
then proceeded to control which connections could be initiated
or accepted.
Oh, there are plenty of examples of filtering within an established
connection: input rules. I've seen "drop all packets from <these> IPs"
type rules frequently. Victims of DoS use those kinds of rules to stop
packets as early as possible.
Jeff
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
