Fedora Users — Re: iptables generic INPUT rule

Re: iptables generic INPUT rule

Date Prev

Date Next

Thread Prev

Thread Next

Date Index

Thread Index

To: For users of Fedora <fedora-list@xxxxxxxxxx>

Subject: Re: iptables generic INPUT rule

From: Bill Davidsen <davidsen@xxxxxxx>

Date: Thu, 08 Nov 2007 18:38:22 -0500

In-reply-to: <BAY117-DAV34C1878091FA6B9ED633F9B880@xxxxxxx>

References: <BAY117-DAV34C1878091FA6B9ED633F9B880@xxxxxxx>

Reply-to: For users of Fedora <fedora-list@xxxxxxxxxx>

User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.8) Gecko/20061105 SeaMonkey/1.0.6

Joe Tseng wrote:

I recall seeing an example rule where the person allowed all establishedconnections; it went something like this:
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
Is this a safe generic rule to have? Or is it better for me to stateevery case explicitly?

Good, safe, and should be first. Rules are processed in order, so youreduce the overhead by putting the most likely case first, in this caseESTABLISHED.


--
Bill Davidsen <davidsen@xxxxxxx>
  "We have more to fear from the bungling of the incompetent than from
the machinations of the wicked."  - from Slashdot