On Wed, Jan 10, 2007 at 11:23:29AM -0800, Paul Johnson wrote: > Douglas Tutty wrote: > > > On Tue, Jan 09, 2007 at 11:23:56AM -0800, Paul Johnson wrote: > > > >> Douglas Tutty wrote: > >> > >> > I use shorewall with default block everything all directions then open > >> > things up as needed. > >> > >> I bet you have a rule someplace that allows outgoing traffic that's part > >> of an existing connection. > > > > Not that I specifically put in. I __think__ that's part of the > > netfilter stuff directly. I just checked my shorewall configs and > > there's nothing there allowing anything from the net and very specific > > stuff out. > > I think shorewall assumes that you don't really want to block /all/ outbound > traffic and does the right thing, then. Before you assume this, you should check the netfilter docs. If by default I block all outgoing and incomming connections then there's no way to establish an 'existing' connection in the first place. If I allow outgoing http requests then the data is allowed back in without me opening the http port to allow incoming requests. That's the heart of netfilter.
Doug. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
