On Wed, 20 Dec 2000, Michael Rothwell wrote:
> Date: Wed, 20 Dec 2000 11:30:15 -0500
> From: Michael Rothwell <rothwell@holly-springs.nc.us>
> To: Michael H. Warfield <mhw@wittsend.com>
> Cc: linux-kernel@vger.kernel.org
> Subject: Re: iptables: "stateful inspection?"
>
> "Michael H. Warfield" wrote:
> > I think that's more than a little overstatement on your
> > part. It depends entirely on the application you intend to put
> > it to.
>
> Fine. How do I make FTP work through it? How can I allow all outgoing
> TCP connections without opening the network to inbound connections on
> the ports of desired services?
>
for the issue of outbound TCP connections you can set ipchains filters
based on the Syn flag to prevent inbound connections.
for FTP I don't know off the top of my head how to do it when not
masquerading, when NAT is turned on load the FTP masq helper module and it
will allow you to do ftp out with no problems.
the real point that you need the stateful filtering is on UDP ports. for
that again I don't know any way when not doing NAT, but when NAT is
enabled it does do basic stateful filtering (but watch out for timeouts)
David Lang
> > Yes it does. It's clearly stated in all the documentation
> > on netfilter and in it's design. Read the fine manual (or web site)
> > and you would have uncovered this (or been run over by it) for yourself.
> >
> > http://netfilter.filewatcher.org/
>
> Thanks.
>
> -M
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> Please read the FAQ at http://www.tux.org/lkml/
>
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Sat Dec 23 2000 - 21:00:27 EST