* Change from --syn (old Style) to stat NEW
@ 2010-05-14 12:27 Markus Feldmann
2010-05-14 12:32 ` Markus Feldmann
2010-05-14 18:36 ` Jan Engelhardt
0 siblings, 2 replies; 4+ messages in thread
From: Markus Feldmann @ 2010-05-14 12:27 UTC (permalink / raw)
To: netfilter
Hi All,
i am thinking about changing much of my firewall rules from the old
style with the <--syn> argument to the new style with the <-m state
--state NEW> or to the conntrack style.
For example have a look line 221 to 239 in my firewall
http://pastebin.com/cG0Vc4EW
These are my FTP rules. Therefore i am only using the <! --syn>
arguments. Is it useful to remove this argument by inserting <-m
conntrack ! --cstate NEW> to get more safety ?
regards Markus
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Change from --syn (old Style) to stat NEW
2010-05-14 12:27 Change from --syn (old Style) to stat NEW Markus Feldmann
@ 2010-05-14 12:32 ` Markus Feldmann
2010-05-14 18:36 ` Jan Engelhardt
1 sibling, 0 replies; 4+ messages in thread
From: Markus Feldmann @ 2010-05-14 12:32 UTC (permalink / raw)
To: netfilter
Further on, which improvements for security do you see in my firewall?
regards Markus
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Change from --syn (old Style) to stat NEW
2010-05-14 12:27 Change from --syn (old Style) to stat NEW Markus Feldmann
2010-05-14 12:32 ` Markus Feldmann
@ 2010-05-14 18:36 ` Jan Engelhardt
2010-05-15 11:32 ` Markus Feldmann
1 sibling, 1 reply; 4+ messages in thread
From: Jan Engelhardt @ 2010-05-14 18:36 UTC (permalink / raw)
To: Markus Feldmann; +Cc: netfilter
On Friday 2010-05-14 14:27, Markus Feldmann wrote:
>
> i am thinking about changing much of my firewall rules from the old style with
> the <--syn> argument to the new style with the <-m state --state NEW> or to the
> conntrack style.
>
> For example have a look line 221 to 239 in my firewall
> http://pastebin.com/cG0Vc4EW
>
> These are my FTP rules. Therefore i am only using the <! --syn> arguments. Is
> it useful to remove this argument by inserting <-m conntrack ! --cstate NEW> to
> get more safety ?
You could combine --syn with --ctstate NEW. That may be
considered a bonus (though I admit I don't do so myself).
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Change from --syn (old Style) to stat NEW
2010-05-14 18:36 ` Jan Engelhardt
@ 2010-05-15 11:32 ` Markus Feldmann
0 siblings, 0 replies; 4+ messages in thread
From: Markus Feldmann @ 2010-05-15 11:32 UTC (permalink / raw)
To: netfilter
Jan Engelhardt schrieb:
>
> You could combine --syn with --ctstate NEW. That may be
> considered a bonus (though I admit I don't do so myself).
Hi Jan,
Nice idea. :-) Could this be a Problem?
As long as i do not redirect the ports, like i did with my Apache-server
from 80 to 443, it should work to combine --syn with --ctstate NEW ?
However it should be more safety to change from --syn to --ctstate NEW
for all rules?
regards Markus
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2010-05-15 11:32 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-05-14 12:27 Change from --syn (old Style) to stat NEW Markus Feldmann
2010-05-14 12:32 ` Markus Feldmann
2010-05-14 18:36 ` Jan Engelhardt
2010-05-15 11:32 ` Markus Feldmann
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).