iptables/firewall brainstorming
Roberto Ragusa
mail at robertoragusa.it
Wed Jun 17 19:51:36 UTC 2009
Thomas Woerner wrote:
> Roberto Ragusa wrote:
>> //A
>> if(port==(20-21)) PERMIT;
>> //B
>> if(port==(20-21) && net==trusted) PERMIT;
>> //default
>> DENY;
> A wins here. The first matching rule will be used. Therefore there is no
> restriction for a trusted network. So your ftp server will be available
> for everyone - even in a public wifi.
And this is exactly what it should happen.
B is trying to give permissions to some machines, but
it is useless, as A is giving permission to everyone.
If it were:
//B
if(port==(20-21) && net==trusted) PERMIT;
//A
if(port==(20-21)) PERMIT;
//default
DENY;
then B would give permission to some machines and A would give permission
to all the others, so even if the decision process is a little different
the final result is the same as before.
The ftp server is available for everyone.
Good, so A is doing its job. :-)
--
Roberto Ragusa mail at robertoragusa.it
More information about the devel
mailing list