TCLUG Archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [TCLUG:13767] IPCHAINS again...



Unlike CheckPoint, IPCHAINS isn't stateful, so you'll need to enable
inbound replies (the easiest is to do the -y flag in your inbound rule).

Fortunately, the upcoming IPTABLES is stateful and has flags for
"established" and "related."  I've been playing around with it for a while
and it can simplify the rulebase a great deal.

Peter Lukas

On Sun, 20 Feb 2000, Yaron wrote:

>   Hi,
> 
> On Sun, 20 Feb 2000, Nate Carlson wrote:
> 
> > > Consider using a rule like this:
> > > ipchains -A input -p tcp -s 0/0 -d 0/0 -j DENY -y -l
> > traffic you would like, including responses to anything you send out, with
> > the -j ACCEPT flag... read the HOWTO, it should tell you what you need to
> > know.
> 
> I don't want it to seem like I'm asking a RTFM, but I did read the HOWTO
> several times. I did see the SYN thing, but coming from a Checkpoint
> world, I assumed the firewall does that part on it's own. Thank you both
> for pointing that out to me - everything seems to be going OK now. 
> 
> -Yaron
> 
> --
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tclug-list-unsubscribe@mn-linux.org
> For additional commands, e-mail: tclug-list-help@mn-linux.org
> 
>