does "iptables -t filter -A INPUT --match conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT" gives a false sense of security ?

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* does "iptables -t filter -A INPUT --match conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT" gives a false sense of security ?
@ 2014-08-31 11:52 Toralf Förster
  0 siblings, 0 replies; only message in thread
From: Toralf Förster @ 2014-08-31 11:52 UTC (permalink / raw)
  To: netfilter-devel

I misconfigured my Gentoo iptables script and could therefore not download source code archives via ftp. I "repaired" that script and restarted it - ftp was possible. After a reboot however ftp won't work again. I realized that probably a parallel Gentoo emerge job jumped into the restart sequence of the iptables script and therefore the ftp download could be finished.

Now I'm wondering if this is a "works as desigend" feature and how this racy mischance can be avoided.

-- 
Toralf
pgp key: 0076 E94E

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2014-08-31 11:52 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-08-31 11:52 does "iptables -t filter -A INPUT --match conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT" gives a false sense of security ? Toralf Förster

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).