Reco <recovery...@gmail.com> writes: <snip, I agree completely>> >> The >> RELATED,ESTABLISHED rule is only for stupid protocols like FTP, that >> like to open new outbound connections in response to inbound requests. > > Not quite true. You forgot to take into account good old DNS, for > example. Now, sure, DNS *is* stupid, but sshd relies on it to some > extent. Or, say, NTP, which is UDP-based too. > Yah, I never run into that because I usually do this on my laptop, and that has a local instance of bind running a slave of my own private zone and a caching resolver. Slaving runs over an OpenVPN link using TCP, so I can get by with an outbound ACCEPT policy.
But yeah, the most comprehensive policy runs a conntrack for related and established outbound connections. Mart -- "We will need a longer wall when the revolution comes." --- AJS, quoting an uncertain source. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/86388ct807....@gaheris.avalon.lan