On Mon, 21 May 2001, Nate Carlson wrote: > > If you allow 1024: -> 1024: without the SYN bit set (! -y in ipchains; > can't remember in iptables), and make SURE you don't have any services > running on 1024+ on your firewall (MySQL is a good example), you are > genereally pretty safe. > > This (along with the proper masquerading modules in 2.2, or the stateful > module in 2.4) will allow most of those to work. After digging into it, I have 2 options to keep it working and keep me somewhat sane. One is to upgrade to kernel 2.4 (a splendid idea no matter how you look at it) and use IPtables which I understand does the stateful stuff for me. Or maybe that was in *BSD. The other option is to loosen up my firewall a bit. I realized that all my paranoia was launched by inetd anyway so a nice ALL:ALL in hosts.deny should lock me down tight enough. Sendmail, Apache, and SSH stay wide open while all services on the box are TCP wrappered and therefore no need for any ipchains -j DENY rules. With the possible exception of ICMP, I like turning that off for paranoia purposes. So, in a nutshell, I'll end up installing Debian :-). -Brian