From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter Surda Date: Thu, 21 Dec 2006 07:10:51 +0000 Subject: Re: [LARTC] Interesting article about punching holes in firewalls... Message-Id: <458A337B.1060400@shurdix.com> List-Id: References: <45860240.2040102@riverviewtech.net> In-Reply-To: <45860240.2040102@riverviewtech.net> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: lartc@vger.kernel.org Grant Taylor schrieb: > I personally have known that using "-m state --state > ESTABLISHED,RELATED" was not the most secure thing to use for returning > traffic. Actually, what the described method accomplishes is not defeating the "firewall" part, but the "NAT" part. If one of the hosts was not behind a NAT, the traffic would flow even with ESTABLISHED,RELATED, because it belongs to active "connection". > Namely this will allow you to make a valid connection to a web > server, say to retrieve a picture. Then said web server could send > malicious traffic back to your computer and pass through your firewall. Please note it does not allow you to create a new connection, just use POTENTIAL connections that wouldn't work due to NAT. > Grant. . . . Yours sincerely, Peter -- http://www.shurdix.org - Linux distribution for routers and firewalls _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc