State from local host?
Richard Parry
richard.parry@lycos.com
Thu, 16 Aug 2001 11:25:19 +1200
Hey Nigel;
On Wed, 15 Aug 2001 11:14:04
Nigel Morse wrote:
>One thing that does strike me about your rules.... you have a lot of INPUT
>stuff and very little FORWARD. Remember that in netfilter (i.e iptables)
>the packets will traverse *either* the INPUT chain *or* the FORWARD chain -
>not both. This is in contrast to the ipchains you are used to where all
>packets go though input and then forward.
Ah! So I don't need to INPUT accept for a FORWARD chain - why this makes things much simpler :) :)
>ones. Sorry if you already knew this, but I thought better safe than sorry
>and tell you anyway ;)
No, it's all good, I did not know this. It was on my list of Things To Check When I Have Time, but now I'll just ruthlessly remove my INPUT accepts.
It makes a lot more sense this way from a security perspective... As I understand it we have a situation whereby INPUT and OUTPUT are for local processes only, whereby FORWARD is where you want to do your network to network firewalling.
Whilst it's a bit of a leap of faith, I like this way better over the old Chains methodology - Rusty's done some good thinking.
Cheers
Richard
---
richard.parry@lycos.com
Phone +64 2 166 4655 Tonic for the thinking man.
ICQ UID 880301, Linux User 157905, http://richard.parry.tripod.com/
Get 250 color business cards for FREE!
http://businesscards.lycos.com/vp/fastpath/