Re: iptables: "stateful inspection?"

From: Alan Cox (alan@lxorguk.ukuu.org.uk)
Date: Wed Dec 20 2000 - 15:45:28 EST


> "Michael H. Warfield" wrote:
> > I think that's more than a little overstatement on your
> > part. It depends entirely on the application you intend to put
> > it to.
>
> Fine. How do I make FTP work through it? How can I allow all outgoing

Passive mode or a proxy.

> TCP connections without opening the network to inbound connections on
> the ports of desired services?

It does SYN checking. If you are running 'serious' security you wouldnt be
allowing outgoing connections anyway. One windows christmascard.exe virus that
connects back to an irc server to take input and you are hosed.

So its perfectly adequate for basic security, but if you want serious security
and you don't have passwords on outgoing connections think again. If you are
using ftp then be sure to also use other methods to verify a third party didnt
change the file you up/downloaded too.

Alan

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/



This archive was generated by hypermail 2b29 : Sat Dec 23 2000 - 21:00:27 EST