Post A3f8lg0Ms7Vvg8SiDA by anonymouskun@fosstodon.org
 (DIR) More posts by anonymouskun@fosstodon.org
 (DIR) Post #A3f6Cr3lZwJjv9Jsu0 by icedquinn@blob.cat
       2021-01-27T11:52:07.054585Z
       
       0 likes, 0 repeats
       
       @anonymouskun wouldn't you just whitelist all the incoming ports to existing connections :blobcatthink:
       
 (DIR) Post #A3f8lg0Ms7Vvg8SiDA by anonymouskun@fosstodon.org
       2021-01-27T12:08:26Z
       
       0 likes, 0 repeats
       
       @icedquinn Despite of incoming port being something other than 443, defining RELATED,ESTABLISHED will accept any port connections that went through 443. It would be a disaster to accept ports for every site. RELATED,ESTABLISHED creates a handshake between anything going out of 443 and RELATED incoming ports.
       
 (DIR) Post #A3f8lgQbIaUuzUjf6G by anonymouskun@fosstodon.org
       2021-01-27T12:16:06Z
       
       0 likes, 0 repeats
       
       @icedquinn That way, if a site happens to use ports like 45859 for OUTPUT and 443 as INPUT, the pc will send web request to 443 and bring anything RELATED back. Hence whitelisting wouldn't be necessary. Otherwise, it would take all day to whitelisting arbitary ports with tcpdump. Or now that I think of it, it could be scripted(I think with tcpdump in a way). hmm...will look into that later ^_^
       
 (DIR) Post #A3f8lgpln0dAFYVlKa by icedquinn@blob.cat
       2021-01-27T12:20:47.967410Z
       
       0 likes, 0 repeats
       
       @anonymouskun i usually just allow anything related/established on incoming regardless.
       
 (DIR) Post #A3f8ltQ104knHRYsUa by anonymouskun@fosstodon.org
       2021-01-27T12:16:31Z
       
       0 likes, 0 repeats
       
       @icedquinn to whitelist*
       
 (DIR) Post #A3f8lw6d0c1pcBVwBs by anonymouskun@fosstodon.org
       2021-01-27T12:20:16Z
       
       0 likes, 0 repeats
       
       @icedquinn Scratch that, scripting would be unwise. Real unwise