[BBLISA] Troubleshooting iptables/netfilter problems
John Miller
johnmill at brandeis.edu
Fri Feb 28 16:31:04 EST 2014
On Fri, Feb 28, 2014 at 3:52 PM, Chuck Anderson <cra at wpi.edu> wrote:
> On Fri, Feb 28, 2014 at 12:14:30PM -0500, John P. Rouillard wrote:
> > I have not seen this, but you could simplify the rule and remove
> >
> > "-m state --state NEW"
> >
> > for testing to see if the problem goes away. That should eliminate any
> > issues with the state setup and allow all ldap traffic to pass
> > through.
>
> I vote for this as a permanent solution. Why would you want netfilter
> to track state on inbound connections to a server in most cases? Are
> you also filtering outbound replies or do you have a default-allow
> outbound ruleset?
>
>
Agreed there. I don't think we do care about state for a lot of the
applications we run. They're locked down to a particular set of hosts that
we trust. With a default policy of rejecting packets, we do, however, need
a way to allow return traffic, and with a firewall, allowing all
established/related traffic is important. Gotta be stateful for that.
It's been a while since we've looked deeply at how we manage our host-based
firewalls (if it doesn't break, it doesn't always get attention), so this
is a good opportunity to question ourselves.
John
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.bblisa.org/pipermail/bblisa/attachments/20140228/efe25ad5/attachment.html>
More information about the bblisa
mailing list