On Thu, Apr 11, 2002 at 10:00:52AM +0800, ian perez wrote: > > how bout this site http://www.linuxguruz.org/iptables/
Also very useful :-) actually, looking at it a again I come to the conclusion that there are as many ways of composing a packet filter ruleset as there are people doing it, so maybe there are no generic ways for filtering... Or maybe I mean something different, like tried and true ways to allow specific services to be accessible using an iptables ruleset for the cases I mentioned (behind the FW, on the FW, on the Internet from behind/on the FW) Although I understand and know a lot about IP protocols, I'm sure I can learn more than I know already ;-) But packet filtering is a whole new way of thinking about protocols. Especially in the case of stateful FW actions. The ESTABLISHED and RELATED states are helpful and at the same time, they hide their operation in a gray box (a black box that you can look into if you dare/are able...). I'm reluctant to try and understand the code that makes the choices about what is a state, but at the same time, how can I trust that a packet belonging to a RELATED state is not 'accidentally' unrelated? Take ICMP for example, I looked into which types are acceptable to let through, but I also put in rules that accept RELATED and ESTABLISHED states in the chain for ICMP packets. Some types that I am willing to accept (3 and 11, unreachable and time-exceeded) don't reach the filter rule, because I guess they are caught by the RELATED and ESTABLISHED rules that are ACCEPTed. Of course, I could test it using some logging rules, but I don't care that much for this particular case. It's just an example. After writing this, I'm not entirely sure what I'm looking for anymore, but I do know that I haven't seen a document or tool that provides the information I'm looking for... Thanks for the helpful URLs! Simon
