-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jack Bowling wrote:
>> iptables -A INPUT -i eth1 -p udp -m udp --dport 67 -j ACCEPT >> iptables -A INPUT -i eth1 -p udp -m tcp --dport 67 -j ACCEPT > >Just a point of order here: if you have the states RELATED, >ESTABLISHED set for ACCEPT in your iptables INPUT chain, why would >you need to open up port 67? Doesn't your box send the syn packet to >the DHCP server and the DHCP server ACKs it (ip_conntrack sees it as >RELATED then ESTABLISHED)? The beauty of having a stateful firewall >is that you don't have to poke gaping holes in it!! I think you're confused, Jack - the incoming request for a DHCP config from a client to the DHCP server is not yet an established connection, nor is it related to an existing connection. All resource servers definitely do need holes in their firewalls if they're to be of any use. ;-) The above rule is on the server (or its intervening firewall). The client, on the other hand, does not need this hole; that's where ESTABLISHED and RELATED come in. - -d - -- David Talkington PGP key: http://www.prairienet.org/~dtalk/0xCA4C11AD.pgp - -- http://setiathome.ssl.berkeley.edu/pale_blue_dot.html -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 Comment: Made with pgp4pine 1.75-6 iQA/AwUBPGWBKL9BpdPKTBGtEQIxsQCfXSpB7QXIajedddiAa6rTAY7IUY0Aniyb vzgWdFzppKVQke5tN52K83mo =vrrS -----END PGP SIGNATURE----- _______________________________________________ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list