> > ports you want. Only associated packets will be accepted IN. > Thanks for the feedback. All I am still a little worried about is what > are associated packets, I guess. So suppose I initiate a non-anonymous > FTP session, I've seen that generate ident packets. Are these > associated? Similar worries about other protocols. Ident/Auth (same thing) connections are normal when a FTP (or IRC or MANY things) make a connection....
I.e. when connected to remote ftp server -- the ftp server may CONNECT BACK to your IP address/machine on the ident/auth "113" port and attempt to request the username using the client/program... This is quite normal and non-harmful... You must at least allow 'returned' connection on port 113 to be refused with TCP RESET using target 'REJECT' and "--reject-with tcp-reset" in iptables somewhere... You can of course run a safe identd and allow connections to that identd. I know a "nathost.[domain].[domain].ac.uk" machine that acts as a single IP address 'NAT' host -- taking connections leaving that institution -- seems to 'DROP' connection packets aimed at most ports on it -- BUT -- sends back a TCP RESET in response to connection packet going to the auth/ident (113) port on that 'nathost' machine. If you DROP packets coming to ident port on your machine -- you may find some telnet/smtp/ftp/irc/other sessions from that machine take a long time to give login-prompt / work (or not work at all) as the remote server you connect to is trying, trying, trying, to connect back to your port 113 (auth/ident port) and ... eventually times out -- you should either accept this connection or refuse it properly. I wonder if iptables 'related' matches returned ident connections and/or can forward ident connection to machine that actually originated outgoing connection instead of only recieving ident connection on iptables/netfilter machine itself. -enyc -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]