* rule check
@ 2003-01-16 15:30 Mike
2003-01-16 15:50 ` Qui Le
2003-01-16 16:38 ` Darrell Dieringer
0 siblings, 2 replies; 4+ messages in thread
From: Mike @ 2003-01-16 15:30 UTC (permalink / raw)
To: netfilter
Are these two rules essentially the same ?
Thanks,
Mike
iptables -A FORWARD -i eth2 -o eth0 -m state --state
NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth2 -o eth0 -p tcp --dport 2000:2050 -m
state --state NEW,ESTABLISHED,RELATED -j ACCEPT
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: rule check
2003-01-16 15:30 rule check Mike
@ 2003-01-16 15:50 ` Qui Le
2003-01-16 16:38 ` Darrell Dieringer
1 sibling, 0 replies; 4+ messages in thread
From: Qui Le @ 2003-01-16 15:50 UTC (permalink / raw)
To: Mike, netfilter
No. The first rule has a broader scope than the second rule. The second
rule limits the destination port to 2000 - 2050, whereas, the first rule will
accept any destination port.
Qui
On Thursday 16 January 2003 10:30 am, Mike wrote:
> Are these two rules essentially the same ?
>
> Thanks,
> Mike
>
> iptables -A FORWARD -i eth2 -o eth0 -m state --state
> NEW,ESTABLISHED,RELATED -j ACCEPT
>
> iptables -A FORWARD -i eth2 -o eth0 -p tcp --dport 2000:2050 -m
> state --state NEW,ESTABLISHED,RELATED -j ACCEPT
^ permalink raw reply [flat|nested] 4+ messages in thread
* RE: rule check
2003-01-16 15:30 rule check Mike
2003-01-16 15:50 ` Qui Le
@ 2003-01-16 16:38 ` Darrell Dieringer
1 sibling, 0 replies; 4+ messages in thread
From: Darrell Dieringer @ 2003-01-16 16:38 UTC (permalink / raw)
To: netfilter
If these rules appeared in that order in the same set of rules, the
second rule wouldn't be hit because the first one is already accepting
all the NEW,ESTABLISHED,RELATED traffic regardless of protocol and
port.
So, as other listers have pointed out, the rules are not the same. If
they appeared together though, since the first one is more general, it
will match the traffic the second rule was designed to match.
> -----Original Message-----
> From: netfilter-admin@lists.netfilter.org
> [mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Mike
> Sent: Thursday, January 16, 2003 9:30 AM
> To: netfilter@lists.netfilter.org
> Subject: rule check
>
>
> Are these two rules essentially the same ?
>
> Thanks,
> Mike
>
> iptables -A FORWARD -i eth2 -o eth0 -m state --state
> NEW,ESTABLISHED,RELATED -j ACCEPT
>
> iptables -A FORWARD -i eth2 -o eth0 -p tcp --dport 2000:2050 -m
> state --state NEW,ESTABLISHED,RELATED -j ACCEPT
>
>
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* RE: rule check
@ 2003-01-16 15:46 mailinglists
0 siblings, 0 replies; 4+ messages in thread
From: mailinglists @ 2003-01-16 15:46 UTC (permalink / raw)
To: netfilter
> Are these two rules essentially the same ?
no, they're not.
> Thanks,
> Mike
>
> iptables -A FORWARD -i eth2 -o eth0 -m state --state
> NEW,ESTABLISHED,RELATED -j ACCEPT
for traffic from eth2 over eth0 this rule is not restricted at all
>
> iptables -A FORWARD -i eth2 -o eth0 -p tcp --dport 2000:2050 -m
> state --state NEW,ESTABLISHED,RELATED -j ACCEPT
this rule restricts to proto tcp and to destination ports 2000:2050
I just don't know what you neet the related for here. new,established does
the job.
Philipp
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2003-01-16 16:38 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-01-16 15:30 rule check Mike
2003-01-16 15:50 ` Qui Le
2003-01-16 16:38 ` Darrell Dieringer
-- strict thread matches above, loose matches on Subject: below --
2003-01-16 15:46 mailinglists
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox