Re: --state ESTABLISHED,RELATED (was: Re: POP-before-SMTP/log2db/RH 6.2/Sendmail 8.11/Cyrus-SASL)

From: Cedric Blancher (blancher@cartel-securite.fr)
Date: 02/05/02 

From: Cedric Blancher <blancher@cartel-securite.fr>
Date: Tue, 5 Feb 2002 07:18:58 +0000 (UTC)

Dans sa prose, Alan W. Frame (alan.frame@acm.org) nous ecrivait :
> OK, aside from "placing motion detectors inside air ducts"[0], does the
> paraniod administrator have one ESTABLISHED,RELATED rule on a linux
> router, or explicitly list ESTABLISHED,RELATED within *each* in/out
> FORWARD chain rule?

Using explicit ESTABLISHED,RELATED rule for each in/out FORWARD rule
means that you think a packet can have ESTABLISHED or RELATED state
without authorizing a previous NEW packet.
As far as I understand Netfilter, a packet is ESTABLISHED if a proper
state can be found in conntrack list (/proc/net/ip_conntrack), the same
for a RELATED one. To have such s state present, a NEW packet must have
been acccepted before.

Which means that using one ESTABLISHED,RELATED rule for each NEW rule is
the same than assuming that Netfilter conntracking is buggy (which can
be...). In this case, I would use another filter, for a do not want my
security to rely on a tool I do not trust. 

-- 
 Je suis nouvellement connecté à internet, via cybercable. Je veux
 savoir si lorsque l'on reste connecté via cybercable, si on paye
 plus d'électricité ou quelque chose du genre.
 -+- QV - Guide du Neuneu d'Usenet - Mettez moi au courant SVP -+-