Re: IPChains rules

["Stephen J. Turnbull" <turnbull@example.com>]

>>>>> "Tobias" == Tobias Diedrich <ranma@example.com> writes:

    Tobias> AFAIK No. At least not the "Allow only known existing
    Tobias> incoming connections" part. You need to know the State of
    Tobias> the Connection for that.

Ah, OK.  You _can_ ignore connection attempts on TCP ports, I thought
that was what you meant.

It's not clear what the benefit of this is to me yet; I guess you can
use it to block garbage at the router?  Or is it just more efficient
to drop the packets on the floor early rather than drop them on the
floor because the listener never sees a SYN?

    Tobias> Works for ping, traceroute,

Wrong.  Ping is ICMP, traceroute is UDP.  No state ... sorry.

If RELATED means what I think it does, it's just a guess.  It could be
(easily) spoofed; (conventional) ping and traceroute packets don't
contain any information that would help you to verify this status.

I wonder how much checking is done on ESTABLISHED, for that matter.
Is it just a dynamic firewall that automatically opens an incoming
window to the local source port when you make an outgoing connection?
Or does it verify TCP serial numbers and (maybe) high-level protocol?
Seems unlikely....

    Tobias> http, ftp.

Or is FTP's "two-circuit" protocol what is meant by "RELATED"?

-- 
University of Tsukuba                Tennodai 1-1-1 Tsukuba 305-8573 JAPAN
Institute of Policy and Planning Sciences       Tel/fax: +81 (298) 53-5091
_________________  _________________  _________________  _________________
What are those straight lines for?  "XEmacs rules."