From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id CE2221381FB for ; Thu, 27 Dec 2012 23:14:01 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 821DD21C035; Thu, 27 Dec 2012 23:13:33 +0000 (UTC) Received: from ironport2-out.teksavvy.com (ironport2-out.teksavvy.com [206.248.154.182]) by pigeon.gentoo.org (Postfix) with ESMTP id 41A6921C01A for ; Thu, 27 Dec 2012 23:12:01 +0000 (UTC) X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AgsKAG6Zu09MCqEB/2dsb2JhbABEsnYDgRiBCIIVAQEEATocKAsLNBIUJTeICQW6CYsIWoFEgjxiA4hChHyHXIVfiDqBWIMH X-IronPort-AV: E=Sophos;i="4.75,637,1330923600"; d="scan'208";a="210790761" Received: from 76-10-161-1.dsl.teksavvy.com (HELO waltdnes.org) ([76.10.161.1]) by ironport2-out.teksavvy.com with SMTP; 27 Dec 2012 18:11:59 -0500 Received: by waltdnes.org (sSMTP sendmail emulation); Thu, 27 Dec 2012 18:11:50 -0500 From: "Walter Dnes" Date: Thu, 27 Dec 2012 18:11:50 -0500 To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] IPTABLES syntax change? Message-ID: <20121227231150.GA9864@waltdnes.org> References: <20121227004732.GB5854@waltdnes.org> <50DBA7D0.4060800@orlitzky.com> <87zk0zivjk.fsf@einstein.gmurray.org.uk> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <87zk0zivjk.fsf@einstein.gmurray.org.uk> User-Agent: Mutt/1.5.21 (2010-09-15) X-Archives-Salt: 1eb6daeb-1a0d-4d6c-be26-c70575204dde X-Archives-Hash: b5124acc8b8631b552ffa4571d18dd4c On Thu, Dec 27, 2012 at 11:28:15AM +0000, Graham Murray wrote > The problem is not really the OP's fault. The problem is that if you > have tables with the form "-m state --state XXX" at the point you > upgrade, iptables-save (quite possibly called automatically by > /etc/init.d/iptables stop) will save it as "-m state --state" - ie > 'forgetting' which state(s) the rule applies to. Thanks for pointing that out. I looked back at an archived version, and it had stuff like... -A ICMP_IN -p icmp -m state --state NEW -j UNSOLICITED -A TCP_IN -p tcp -m state --state NEW -m tcp -j UNSOLICITED -A UDP_IN -p udp -m state --state NEW -j UNSOLICITED I.e. new external connection attempts were rejected, except for my lan which bypasses this rule so I can scp/ssh etc between my machines. No wonder I was puzzled by what I saw. -- Walter Dnes I don't run "desktop environments"; I run useful applications