Re: stateful firewall
On 22 Mar 2001 10:57:14 -0800, Mike Fedyk wrote:
> In a way, 2.2 already had something similar. Masq+Masq_ftp.
Weeeeellllllllll ... ish ...
> You can even masq only ftp, and get the benifit. Though, this is a
> workaround, it does help.
Yes, but only if you're doing masquerading. I run quite a tight firewall
on my local machine, which isn't doing masq or nat for anything. I run
ip_conntrack_ftp and ip_conntrack_irc, and this way, I can say "allow
all RELATED connections", so every FTP transfer, every DCC transfer,
will get marked as related, so I can allow everything without needing to
open all my high ports.
See how this is 10,000 times better than: a) ipchains, and b)
statelessness?
:) d
--
Daniel Stone
Linux Kernel Developer
daniel@kabuki.openfridge.net
-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
G!>CS d s++:- a---- C++ ULS++++$>B P---- L+++>++++ E+(joe)>+++ W++ N->++ !o
K? w++(--) O---- M- V-- PS+++ PE- Y PGP>++ t--- 5-- X- R- tv-(!) b+++ DI+++
D+ G e->++ h!(+) r+(%) y? UF++
------END GEEK CODE BLOCK------
Reply to: