On Wed, 9 May 2001 12:20:05 +0200 (CEST), Markus Gaugusch wrote:

...

IMHO a packet filter like ipchains can only decide what to do with a packet by looking at this very packet. So if you get a packet without SYN Flag set from somewhere to , say, port 61500, how can ipchains know if it's a response to a masqueraded request or a response to a request from al local app using this port ? It is not decided by ipchains, but the kernel. The kernel knows the masqueraded connections, and can differ between local and masqueraded connections therefore.

But the input chain will be called, too. If you want to filter masq'd connections and local connections on the firewall box seperately (i.e. to heavily restrict direct access to and from the firewall machine) having them in the same port range makes no sense, or am I wrong somehow? - Martin

hth Markus

-- _____________________________ /"\ Markus Gaugusch ICQ 11374583 \ / ASCII Ribbon Campaign markus@gaugusch.dhs.org X Against HTML Mail / \

--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com

--- The Internet was invented as a highly dependable, high-speed, distributed, secure, and powerful network so that in the event of a nuclear crisis, military officials would always have access to pornography.