David S. Miller wrote: > > I personally think allowing sockets to trump firewall rules > is an acceptable relaxation of the rules in order to simplify > the implementation.
I agree. I have never seen a set of netfilter rules that would block arbitrary packets *within* an established connection. Technically you can create such rules, but every single set of rules actually deployed that I have ever seen started with a rule to pass all packets for established connections, and then proceeded to control which connections could be initiated or accepted. - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
