-
Notifications
You must be signed in to change notification settings - Fork 398
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use conntrack to allow incoming responses for outbound connections #115
Comments
Hi @vodasams57 Thank you for your advice. It's helpful especially in handling UDP traffic. My original thought was to stop new connections from outside networks and can also defense against SYN Flood attacks. But you're right about the issues, especially with how we handle UDP. If using
What do you think about these rules? Only one concern I have is about the original rules, which have been widely deployed and tested in various environments. It works in most of cases. So, I'm thinking to update the documentation to include both sets of rules. Let users to choose which one they want to use. |
hi @chaifeng thanks for your feedback.
I would prefer the following approach "allow rules first, block anything else".
I see your point. Nevertheless, in terms of security/firewalling it would make sense to default to the new rules. In addition, this approach makes the rules much more understandable and feels less hacky.
Good point. I would add a deprecation mark for the old approach and highlight the drawbacks when using it. |
hi @chaifeng did you have time to have a look at my last comment? |
To allow responses for outbound connections initiated by internal containers you suggest the following rules:
There are some flaws with this approach:
Albeit being a stateless approach it would be safer to use the conntrack table (stateful) to allow responses for established connections:
Even UFW is using conntrack to allow incoming responses initiated by local applications (see /etc/ufw/before.rules):
The text was updated successfully, but these errors were encountered: