Reco <recovery...@gmail.com> writes:
<snip, I agree completely>>
>> The
>> RELATED,ESTABLISHED rule is only for stupid protocols like FTP, that
>> like to open new outbound connections in response to inbound requests.
>
> Not quite true. You forgot to take into account good old DNS, for
> example. Now, sure, DNS *is* stupid, but sshd relies on it to some
> extent. Or, say, NTP, which is UDP-based too.
>
Yah, I never run into that because I usually do this on my laptop, and
that has a local instance of bind running a slave of my own private zone
and a caching resolver. Slaving runs over an OpenVPN link using TCP, so
I can get by with an outbound ACCEPT policy.
But yeah, the most comprehensive policy runs a conntrack for related and
established outbound connections.
Mart
--
"We will need a longer wall when the revolution comes."
--- AJS, quoting an uncertain source.
--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/86388ct807....@gaheris.avalon.lan
