On Wednesday 31 January 2007 10:00, [EMAIL PROTECTED] wrote: > > And you can save me a 15min drive to test: > > I've just setup a Dlink 604T for my sister. > > Everything OUT is allowed in the filter setup. > > is ESTABLISHED,RELATED permitted back or do I have to explicitly allow > > WWW, > > MAIL and SSH back? > > (There are no services offered) > > Doesn't make sense to have to open these ports if you don't serve anything > on them - practically any normal TCP clients use some random TCP ports > automatically assigned to them by the system when they connect(2) so you > can't tell before the connect(2) which port should be opened back. That's > what "stateful firewall" (http://en.wikipedia.org/wiki/Stateful_firewall) > is all about. > > Also it wouldn't make much sense to allow any TCP packet out without > automatically allowing the returning traffic. > > So without knowing this particular model (I have a 504g), I'd expect you to > be covered in that area.
Thanks. I'm sure that it will be the same. I setup a telstra-cable for a mate on Edgy. I used 'guarddog' and I had to explicitly allow the services back. Bizare!! EG explicitly allow 80 back to get WWW or 110 for mail, but the negotiated ports associated with the above were allowed so ... I browse somewhere:80 I can't see unless I allow 80 incoming. The server negotiates to use (say) 4567. That does not affect operation at all. ie this kind of rubbish: tigger:/home/jam # netstat -anp |grep :80 tcp 0 0 :::80 :::* LISTEN 3515/httpd2-prefork tcp 0 0 192.168.5.254:80 58.6.56.217:1036 ESTABLISHED 13246/httpd2-prefor tcp 0 0 192.168.5.254:80 58.6.56.217:1037 ESTABLISHED 3518/httpd2-prefork Now if I was 58.6.56.217 we'd be talking on 1036. That worked fine! Maybe guarddog allows ESTABLISHED but not RELATED Thanks James -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html