Disabling ipv6
Reindl Harald
h.reindl at thelounge.net
Fri Jul 12 22:55:56 UTC 2013
Am 13.07.2013 00:45, schrieb David Beveridge:
> On Fri, Jul 12, 2013 at 4:43 AM, Joe Zeff <joe at zeff.us> wrote:
>>
>> Can you give a practical example, please. I've no reason to disbelieve you,
>> but I've also never run across such a case and would like to see one.
>>
> This kind of depends on what iptables or firewall rules you have,
> but for a moment lets assume that you allow "related" connections on your input.
>
> What this means is to allow anything you connect outbound to to be
> trusted to make a reverse connection back to you.
>
> So you are therefore trusting everything you connect to. Doesn't
> sound very "Secure" to me
would you please be so kind and inform you instead spread FUD
how do you imagine that a UDP service answers since it is a
stateless proctocol without the rule below?
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
*no* it does *not* open any incoming traffic to you - only *related*
what is related? the combination outgoing/incoming port/IP because if
you start a connection your software chooses a random port above 1024
and the answer comes back to exactly this port
https://en.wikipedia.org/wiki/Stateful_firewall
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/users/attachments/20130713/0b92a175/attachment.sig>
More information about the users
mailing list