From: Aleksandar Milivojevic <amilivojevic@pbl.ca>
To: netfilter@lists.netfilter.org
Subject: Re: nat and dns
Date: Thu, 23 Sep 2004 20:56:17 -0500 [thread overview]
Message-ID: <1095990977.41537ec1b14b5@webmail2> (raw)
In-Reply-To: <1095976931.5171.12.camel@mistified.sf.bgservice.lab>
Quoting Dimitar Katerinski <train@bofh.bg>
Date: Fri, 24 Sep 2004 01:02:11
> Sorry, a little bit off topic, but I allways go red about such kind of crappy
> rules:
>
> > Use DNAT target. In short what you need to do is:
> >
> > iptables -A FORWARD -m state --state NEW -j ACCEPT
>
> Do you know what you just did? You've just allowed any kind of
> connections, protocols to any port and from/to any destionation. Cute,
> isn't it?
The above was an obvious typo that I made. It should have read ESTABLISHED, not
NEW, of course. It kinda suprised me that it took so long before anybody noticed.
As for using only --state NEW in my other rules vs specifying tcp flags, there
were some discussions before on the list about it. For most part it will just
prevent nmap and similar programs to do some types of tests used to remotely
determine OS type. Personally, I do use tcp-flags option in combination with
--state NEW. And what I sometimes type when giving examples (mostly not, becase
of pure laziness on my part) is that they are examples and that reader should
add additional flags to make it more tight.
> P.S. Why I go red? Because there're thousands of people who use it, and
> they learned it from someone like you.
Maybe yes, maybe no. The bottom line is that probability of somebody getting
burned by not using tcp-flags (or simply syn) option is quite low. But if
that's going to make you so much happier person, I can start typing mile long
examples instead of giving hints. I could bet that out of those thousands,
there will be at least 99% that will fail to realize that 2.6 series of kernels
is extremely trigger happy to load ipv6 module (which will automatically assign
link local IPv6 addresses to all Ethernet interfaces), and that is much more
serious problem than omiting --syn or whatever...
--
Aleksandar Milivojevic <amilivojevic@pbl.ca> Pollard Banknote Limited
Systems Administrator 1499 Buffalo Place
Tel: (204) 474-2323 ext 276 Winnipeg, MB R3T 1L7
next prev parent reply other threads:[~2004-09-24 1:56 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-09-23 9:00 nat and dns Raphael Jacquot
2004-09-23 10:34 ` Nick Drage
2004-09-23 11:09 ` Samuel Díaz García
2004-09-23 11:23 ` Nick Drage
2004-09-23 13:01 ` Samuel Díaz García
2004-09-23 13:19 ` Alexis
2004-09-23 14:13 ` Jason Opperisano
2004-09-23 14:34 ` Aleksandar Milivojevic
2004-09-23 14:44 ` Jason Opperisano
2004-09-23 15:09 ` Aleksandar Milivojevic
2004-09-24 9:43 ` Jozsef Kadlecsik
2004-09-23 13:17 ` Alexis
2004-09-23 14:09 ` Aleksandar Milivojevic
2004-09-23 12:00 ` Raphael Jacquot
2004-09-23 14:17 ` Aleksandar Milivojevic
2004-09-23 22:02 ` Dimitar Katerinski
2004-09-23 22:16 ` Jason Opperisano
2004-09-24 1:56 ` Aleksandar Milivojevic [this message]
2004-09-24 6:51 ` Jason Opperisano
[not found] <20020829192902.29524.97535.Mailman@kashyyyk>
2002-09-11 12:10 ` NAT and DNS Mauricio Gouvea
2002-09-11 13:10 ` Antony Stone
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1095990977.41537ec1b14b5@webmail2 \
--to=amilivojevic@pbl.ca \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.