On Sat, 09 Feb 2002 12:05:56 -0800 (PST) David Talkington <[EMAIL PROTECTED]> wrote:
> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Jack Bowling wrote: > > >> iptables -A INPUT -i eth1 -p udp -m udp --dport 67 -j ACCEPT > >> iptables -A INPUT -i eth1 -p udp -m tcp --dport 67 -j ACCEPT > > > >Just a point of order here: if you have the states RELATED, > >ESTABLISHED set for ACCEPT in your iptables INPUT chain, why would > >you need to open up port 67? Doesn't your box send the syn packet to > >the DHCP server and the DHCP server ACKs it (ip_conntrack sees it as > >RELATED then ESTABLISHED)? The beauty of having a stateful firewall > >is that you don't have to poke gaping holes in it!! > > I think you're confused, Jack - the incoming request for a DHCP config > from a client to the DHCP server is not yet an established connection, > nor is it related to an existing connection. All resource servers > definitely do need holes in their firewalls if they're to be of any > use. ;-) > > The above rule is on the server (or its intervening firewall). The > client, on the other hand, does not need this hole; that's where > ESTABLISHED and RELATED come in. Agghhh!! Of course. I was thinking client only. I have seen way too many client boxes with ipchains rulesets converted to iptables with unnecessary holes. jb _______________________________________________ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
