* Change from --syn (old Style) to stat NEW @ 2010-05-14 12:27 Markus Feldmann 2010-05-14 12:32 ` Markus Feldmann 2010-05-14 18:36 ` Jan Engelhardt 0 siblings, 2 replies; 4+ messages in thread From: Markus Feldmann @ 2010-05-14 12:27 UTC (permalink / raw) To: netfilter Hi All, i am thinking about changing much of my firewall rules from the old style with the <--syn> argument to the new style with the <-m state --state NEW> or to the conntrack style. For example have a look line 221 to 239 in my firewall http://pastebin.com/cG0Vc4EW These are my FTP rules. Therefore i am only using the <! --syn> arguments. Is it useful to remove this argument by inserting <-m conntrack ! --cstate NEW> to get more safety ? regards Markus ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Change from --syn (old Style) to stat NEW 2010-05-14 12:27 Change from --syn (old Style) to stat NEW Markus Feldmann @ 2010-05-14 12:32 ` Markus Feldmann 2010-05-14 18:36 ` Jan Engelhardt 1 sibling, 0 replies; 4+ messages in thread From: Markus Feldmann @ 2010-05-14 12:32 UTC (permalink / raw) To: netfilter Further on, which improvements for security do you see in my firewall? regards Markus ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Change from --syn (old Style) to stat NEW 2010-05-14 12:27 Change from --syn (old Style) to stat NEW Markus Feldmann 2010-05-14 12:32 ` Markus Feldmann @ 2010-05-14 18:36 ` Jan Engelhardt 2010-05-15 11:32 ` Markus Feldmann 1 sibling, 1 reply; 4+ messages in thread From: Jan Engelhardt @ 2010-05-14 18:36 UTC (permalink / raw) To: Markus Feldmann; +Cc: netfilter On Friday 2010-05-14 14:27, Markus Feldmann wrote: > > i am thinking about changing much of my firewall rules from the old style with > the <--syn> argument to the new style with the <-m state --state NEW> or to the > conntrack style. > > For example have a look line 221 to 239 in my firewall > http://pastebin.com/cG0Vc4EW > > These are my FTP rules. Therefore i am only using the <! --syn> arguments. Is > it useful to remove this argument by inserting <-m conntrack ! --cstate NEW> to > get more safety ? You could combine --syn with --ctstate NEW. That may be considered a bonus (though I admit I don't do so myself). ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Change from --syn (old Style) to stat NEW 2010-05-14 18:36 ` Jan Engelhardt @ 2010-05-15 11:32 ` Markus Feldmann 0 siblings, 0 replies; 4+ messages in thread From: Markus Feldmann @ 2010-05-15 11:32 UTC (permalink / raw) To: netfilter Jan Engelhardt schrieb: > > You could combine --syn with --ctstate NEW. That may be > considered a bonus (though I admit I don't do so myself). Hi Jan, Nice idea. :-) Could this be a Problem? As long as i do not redirect the ports, like i did with my Apache-server from 80 to 443, it should work to combine --syn with --ctstate NEW ? However it should be more safety to change from --syn to --ctstate NEW for all rules? regards Markus ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2010-05-15 11:32 UTC | newest] Thread overview: 4+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2010-05-14 12:27 Change from --syn (old Style) to stat NEW Markus Feldmann 2010-05-14 12:32 ` Markus Feldmann 2010-05-14 18:36 ` Jan Engelhardt 2010-05-15 11:32 ` Markus Feldmann
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).