From debbugs-submit-bounces@debbugs.gnu.org Sun May 30 17:07:19 2021 Received: (at submit) by debbugs.gnu.org; 30 May 2021 21:07:19 +0000 Received: from localhost ([127.0.0.1]:60456 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lnSeU-0005d8-G0 for submit@debbugs.gnu.org; Sun, 30 May 2021 17:07:19 -0400 Received: from lists.gnu.org ([209.51.188.17]:35142) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lnSeL-0005cq-FM for submit@debbugs.gnu.org; Sun, 30 May 2021 17:07:17 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:59008) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lnSeL-0002KD-Ap for guix-patches@gnu.org; Sun, 30 May 2021 17:07:09 -0400 Received: from out3-smtp.messagingengine.com ([66.111.4.27]:46887) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lnSeJ-0004Ry-Iy for guix-patches@gnu.org; Sun, 30 May 2021 17:07:09 -0400 Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.nyi.internal (Postfix) with ESMTP id 909C55C0045 for ; Sun, 30 May 2021 17:07:06 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute3.internal (MEProxy); Sun, 30 May 2021 17:07:06 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericcbrown.com; h=from:to:subject:date:message-id:mime-version:content-type; s= fm2; bh=LnEJw7NTCbAOM48mWoIVh/8bhdfoOYVoy7hf/9al8xk=; b=nIQqlzFh 7q1bGOckJnRqNja8xotQpMAQxqRlo88kRZ1iF/2l1vDTPFdPdAmAz2BTcqn7am+u vVQxaeju5HRZyt8yY9nFkRM/mkfe3YFxl2tdlLeouF3XnaJszOL8kFgEnKlFzgkh PfNuV8Y6SbCxRDHgmi99zmkneBmVem3TqECrnWgvuAQC6oN0MP6CImUS7rINR8uC TDRzVqzO4M5OzK9txqpHiI39NKY4dBue4IPAgeHU6twXBTZUgjeFAmM8bzpjuKP4 zw0yweaxNNwYtrkHpYMWMXl0D+3fnyd4oO9CwK8P3Zg/gPZagLAo3woo9u3llP5j 7w2ydWSs15d5Fw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:message-id :mime-version:subject:to:x-me-proxy:x-me-proxy:x-me-sender :x-me-sender:x-sasl-enc; s=fm2; bh=LnEJw7NTCbAOM48mWoIVh/8bhdfoO YVoy7hf/9al8xk=; b=i1RQVCXQxfNlzUat/a5mHPouHMSy3W0Sxt0D+0c6oKzAv 5k3Q97Ur5emxbU5kJ/HP+JA/hgIxwFf5dNlLr7/0cbBQ7sQax396254xuoGHx7zD jlK8PYlN5blwEqyX+jAsREgsUYBPsWP2bSttBBDPvR7NS2KTDKFSyaDmCHMhzu2R j6kIH9Xy1ii1ymLIpH6ud5IiCURofoBNnF5nTbdu333w8/AcTCgAe/x3VRM35cSI OTzQxW96//mYR8wq+hCQDMXAyRG2hkwDarQs699C/CAOpe9DzSpe+ywjEb59vjPN jpT8vhDTNWpdU5uMinpdVQg04P7dYzmN+iePEHVXw== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrvdeluddgudehjecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecunecujfgurhephffvufffkfgfgggtsehmtderre dtredtnecuhfhrohhmpefgrhhitgcuuehrohifnhcuoegvtggsrhhofihnsegvrhhitggt sghrohifnhdrtghomheqnecuggftrfgrthhtvghrnhepuddtkeffgeeltdetvdeljeejhf dtgedvheelvedtueevudfffeffudfftddvkeegnecukfhppeelledrgeefrdduvdejrddu necuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhepvggtsg hrohifnhesvghrihgttggsrhhofihnrdgtohhm X-ME-Proxy: Received: from localhost (unknown [99.43.127.1]) by mail.messagingengine.com (Postfix) with ESMTPA for ; Sun, 30 May 2021 17:07:06 -0400 (EDT) From: Eric Brown To: guix-patches@gnu.org Subject: iptables example update Mail-reply-to: Eric Brown Mail-followup-to: Eric Brown Date: Sun, 30 May 2021 22:07:07 +0100 Message-ID: <86lf7wue10.fsf@hurd.ericcbrown.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" Received-SPF: pass client-ip=66.111.4.27; envelope-from=ecbrown@ericcbrown.com; helo=out3-smtp.messagingengine.com X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.7 (--) --=-=-= Content-Type: text/plain Dear List, I have often puzzled over the iptables example that is given in the Guix manual. It seems that this rule would allow someone to ssh in, but would not practically allow ssh *outward* because the session would not be able to receive a response. I've added what I think is a line that fixes the issue. Best regards, Eric --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=0001-doc-Updated-iptables-example.patch Content-Description: iptables update >From 44faa84695a5df7a0a3c3a35520d70f255b9fe53 Mon Sep 17 00:00:00 2001 From: Eric Brown Date: Sun, 30 May 2021 22:00:52 +0100 Subject: [PATCH] doc: Updated iptables example * doc/guix.texi (iptables): Update iptables example to allow (functioning) outbound SSH --- doc/guix.texi | 2 ++ 1 file changed, 2 insertions(+) diff --git a/doc/guix.texi b/doc/guix.texi index dc10e88123..71851ca0b1 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -16427,6 +16427,7 @@ configuration rejecting all incoming connections except those to the ssh port :INPUT ACCEPT :FORWARD ACCEPT :OUTPUT ACCEPT +-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -A INPUT -p tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-port-unreachable COMMIT @@ -16435,6 +16436,7 @@ COMMIT :INPUT ACCEPT :FORWARD ACCEPT :OUTPUT ACCEPT +-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -A INPUT -p tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp6-port-unreachable COMMIT -- 2.32.0.rc0 --=-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Thu Jun 03 14:46:58 2021 Received: (at 48753-done) by debbugs.gnu.org; 3 Jun 2021 18:46:59 +0000 Received: from localhost ([127.0.0.1]:44670 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1losMs-0008ND-P7 for submit@debbugs.gnu.org; Thu, 03 Jun 2021 14:46:58 -0400 Received: from mugam.systemreboot.net ([139.59.75.54]:49900) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1losMp-0008N2-FY for 48753-done@debbugs.gnu.org; Thu, 03 Jun 2021 14:46:57 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=systemreboot.net; s=default; h=Content-Type:MIME-Version:Message-ID:Date: References:In-Reply-To:Subject:To:From:Sender:Reply-To:Cc: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=apEcbR2+tfQHFzNLXWPl1A4+gqQj1lTE56xY3F8T1T0=; b=GvzCawUkuYh8O4aLuEwX7V6J60 xh5HQ7B87Oj3cRGKyEAJfLSNEPKLTMe11XZMAwUQJR8V+LMDrjdxOEGvqYio6z+GB4pc/TsgzQt58 KVjC9gKSNdK2L85ZZHUF025EC+KMK+/AEqrpBrxKGgEh0EACt6mf5E0xltCjLgXi1ram/sU6NpBGS fPP0Nm+eibz0j4Q3VCPiak8Ll76l0y7ft25q3Ys44Fj0f2/w7chSrz7YeA85ccaYAQG2p75ESq9P1 TKIjMayb8jt19HStLhWke6dJ1v+K0V0SGnR811VELmPpCevrWGcIxhWvQXF7wqWzrD6+lpCeDBJ5s T6KUdqZQ==; Received: from [192.168.2.1] (helo=steel) by systemreboot.net with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1losMm-00059c-MO; Fri, 04 Jun 2021 00:16:52 +0530 From: Arun Isaac To: Eric Brown , 48753-done@debbugs.gnu.org Subject: Re: [bug#48753] iptables example update In-Reply-To: <86lf7wue10.fsf@hurd.ericcbrown.com> References: <86lf7wue10.fsf@hurd.ericcbrown.com> Date: Fri, 04 Jun 2021 00:16:49 +0530 Message-ID: <87im2uwzty.fsf@systemreboot.net> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 48753-done X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) --=-=-= Content-Type: text/plain Hi Eric, I wrote the iptables service and documentation. So, the mistake is entirely due to my poor grasp of iptables! :-) I have applied your patch, and pushed to master. Thanks! Cheers, Arun --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQFPBAEBCAA5FiEEf3MDQ/Lwnzx3v3nTLiXui2GAK7MFAmC5I5obHGFydW5pc2Fh Y0BzeXN0ZW1yZWJvb3QubmV0AAoJEC4l7othgCuzPMEH/3XCSh3DTMDZHtgXtUkf i6fp4GENzi67/BSQJVxzeh16GOGghPF7MlOOi6GcqTvEIFyd/1RACnSmiHXLS3OG lmhCJhAhtrQayMDGSjeceYDPKGQmDZ/agRTXLWFnVTX0Uil3koE1cyj5sox9wfvn qVK0TDRrjMbNHVg+YXdLUtnlQGF7r0ozVdUNNL1k6OsI1vdWnU4SdFY/hzIg+ac0 c67zKIliUJyDHshHBKyDUdYBHV4N7K7aQ6ImeC0rvHFEcJiN2RcAALRBtDFoq6zu nJWFmSyJYNIMbY5S6hjluFgd9nrvrQfWbHvW7NekxApNBG0PwWk+XWCrO6XSBR84 LiU= =V0kE -----END PGP SIGNATURE----- --=-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Sun Jun 06 14:53:26 2021 Received: (at 48753-done) by debbugs.gnu.org; 6 Jun 2021 18:53:26 +0000 Received: from localhost ([127.0.0.1]:53915 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lpxtm-0002vT-Ii for submit@debbugs.gnu.org; Sun, 06 Jun 2021 14:53:26 -0400 Received: from out1-smtp.messagingengine.com ([66.111.4.25]:46427) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lpxtk-0002vF-DI for 48753-done@debbugs.gnu.org; Sun, 06 Jun 2021 14:53:25 -0400 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id CF7225C012A; Sun, 6 Jun 2021 14:53:18 -0400 (EDT) Received: from imap38 ([10.202.2.88]) by compute4.internal (MEProxy); Sun, 06 Jun 2021 14:53:18 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericcbrown.com; h=mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type:content-transfer-encoding; s=fm2; bh=aL70Z 5b8SzCDV8tKHBDXELzmYN4KSRcMjcr6alaIx80=; b=DYjYYiNB6kWffADzuHrtN HFAvTwoxwLsKqybuTppGV3zKQ1mI/YXNAgqFsPwZPvsoxX07gXOY4/UvTmvg4l9L KvuPyp088A7e2C+Gipt/uskZGz/ASG2J+P984Tx5lc4yJBuouSf4PJmV8eARuwmh oRs0DSoTISTDnn3RLId/mrX3/WMyLOu8SU90+Q7nOLqA3HmlFRxYLXl1choEJgFc 2tMSxZjJCdE2H75uipuOiXzckmofoxJu918YdxptofezSPKIQNKOp+bABvkNupRu 14eayq3p6GEkKVQyauHyc/Q8c0HkjoEu3xCn5k5IK9kLowgAlPrtCnleNgsgD+HF Q== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm3; bh=aL70Z5b8SzCDV8tKHBDXELzmYN4KSRcMjcr6alaIx 80=; b=gTMrZPZupQfQfjVJdpMMaoiTRReBZx+JQbsG/TFDeCytfJ+Y8LcH19DOK ED1uQTh/3vOIqLiClmGWbQYMgGIz2GoJAP5LFaaKevRNxtVvGSBm6DDxqWN3M5/d y/ObcTZM48PrUz28NtnUoJ49jcUH2Oy0leCZ321qSSaogDTAaHm+TQj1O2qmDXG1 wBvRp2gjt94wqw84lJ1ObJ1T34eRgpmYFH+dxBKQcY1zYCfMD+bNepdL+ktpQSNA zryA+rilUYwhbnv9I3TbK+ew5eRTicneI/ZC+0JIYKblSKwqt3YMQ0Y4kgP6hfe6 +MJH7+JN8CHaagCnAiFGV8ccSBHJg== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrfedthedgudefvdcutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd enucfjughrpefofgggkfgjfhffhffvufgtgfesthhqredtreerjeenucfhrhhomhepfdfg rhhitgcuuehrohifnhdfuceovggtsghrohifnhesvghrihgttggsrhhofihnrdgtohhmqe enucggtffrrghtthgvrhhnpeffjeevveelvdefjedtlefhlefgleegffeileehieekkeef geekveelffefgeejkeenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrih hlfhhrohhmpegvtggsrhhofihnsegvrhhitggtsghrohifnhdrtghomh X-ME-Proxy: Received: by mailuser.nyi.internal (Postfix, from userid 501) id 06C60CA005E; Sun, 6 Jun 2021 14:53:17 -0400 (EDT) X-Mailer: MessagingEngine.com Webmail Interface User-Agent: Cyrus-JMAP/3.5.0-alpha0-519-g27a961944e-fm-20210531.001-g27a96194 Mime-Version: 1.0 Message-Id: In-Reply-To: <87im2uwzty.fsf@systemreboot.net> References: <86lf7wue10.fsf@hurd.ericcbrown.com> <87im2uwzty.fsf@systemreboot.net> Date: Sun, 06 Jun 2021 13:52:57 -0500 From: "Eric Brown" To: "Arun Isaac" , 48753-done@debbugs.gnu.org Subject: Re: [bug#48753] iptables example update Content-Type: text/plain;charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 48753-done X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) On Thu, Jun 3, 2021, at 1:46 PM, Arun Isaac wrote: >=20 > Hi Eric, >=20 > I wrote the iptables service and documentation. So, the mistake is > entirely due to my poor grasp of iptables! :-) >=20 > I have applied your patch, and pushed to master. Thanks! >=20 > Cheers, > Arun >=20 > Attachments: > * signature.asc Hi Arun, Thank you for applying the patch, I think it=E2=80=99s much better. Trut= hfully i am relieved that you are an iptables newbie and so am I! I think there could still be some work done to this recommendation. For= example, when I use this updated iptables firewall selection, I am unab= le to telnet into ports open on localhost. An example is that I am a h= eavy user of VNC/SSH tunnel connections and it doesn=E2=80=99t let me do= that, it blocks e.g. port 5902. (A similar naive rule in nftables do= es let this work!!!) But so many examples are given in iptables (esp. WireGuard stuff) and so= if you have no objections, I would like to take a further look and mayb= e even ask around as to what the =E2=80=98ufw allow ssh=E2=80=99 behavio= r vis-a-vis iptables best practices. Best regards, Eric From debbugs-submit-bounces@debbugs.gnu.org Wed Jun 16 03:18:56 2021 Received: (at 48753-done) by debbugs.gnu.org; 16 Jun 2021 07:18:56 +0000 Received: from localhost ([127.0.0.1]:51430 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ltPpA-0006ZS-2M for submit@debbugs.gnu.org; Wed, 16 Jun 2021 03:18:56 -0400 Received: from mugam.systemreboot.net ([139.59.75.54]:42046) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ltPp6-0006ZH-BN for 48753-done@debbugs.gnu.org; Wed, 16 Jun 2021 03:18:54 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=systemreboot.net; s=default; h=Content-Type:MIME-Version:Message-ID:Date: References:In-Reply-To:Subject:To:From:Sender:Reply-To:Cc: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=xEJczNoLb4o1au/nR2uGqEKGt2mQciEOcB6j6yDzvTc=; b=hbbxeM+Tpku25kPdBkntVOXtTK XpJKldhPvmN48H9Ao8AVtQsUo+MBLXAqz7WKW5KrUX9Z3787GlbrSP3KKn+cUpzAkD268g6VuFSR2 wSiffpc6DBKO7nFrz31Ek3JLl/E3m4OtI45eX+jJWf8FN2Njn7gJFt4OVJjRIIc51dlXyMO5Mxy7d 7huFLTquyRLL6Kq5eiAGplJdAFNKpXbRBDnS1J6wIEfUAMFUOXJTkYGGxsfNuG9wEvt+gU5NmH8uT 2+ZKSej42RjTx2ZCkT7pt1JIxuis/448QFsMNWSJbnIT1thcrobJyt+w3hi4aYbi92/nNnzwa/iqC 4j3XG3Iw==; Received: from [192.168.2.1] (helo=steel) by systemreboot.net with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1ltPp3-00008O-0m; Wed, 16 Jun 2021 12:48:49 +0530 From: Arun Isaac To: Eric Brown , 48753-done@debbugs.gnu.org Subject: Re: [bug#48753] iptables example update In-Reply-To: References: <86lf7wue10.fsf@hurd.ericcbrown.com> <87im2uwzty.fsf@systemreboot.net> Date: Wed, 16 Jun 2021 12:48:41 +0530 Message-ID: <87tulyp99q.fsf@systemreboot.net> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 48753-done X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hi Eric, > Thank you for applying the patch, I think it=E2=80=99s much better. Truth= fully > i am relieved that you are an iptables newbie and so am I! :-P > I think there could still be some work done to this recommendation. > For example, when I use this updated iptables firewall selection, I am > unable to telnet into ports open on localhost. An example is that I > am a heavy user of VNC/SSH tunnel connections and it doesn=E2=80=99t let = me do > that, it blocks e.g. port 5902. (A similar naive rule in nftables > does let this work!!!) I'm not able to reproduce this. I built and started a container with an ssh server on port 5902. And, I was able to connect fine with telnet. Could you describe the precise steps, configuration, etc. to reproduce this issue? > But so many examples are given in iptables (esp. WireGuard stuff) and > so if you have no objections, I would like to take a further look and > maybe even ask around as to what the =E2=80=98ufw allow ssh=E2=80=99 beha= vior > vis-a-vis iptables best practices. Sure, please do! You don't need my permission for that! :-) Regards, Arun --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQFPBAEBCAA5FiEEf3MDQ/Lwnzx3v3nTLiXui2GAK7MFAmDJpdIbHGFydW5pc2Fh Y0BzeXN0ZW1yZWJvb3QubmV0AAoJEC4l7othgCuz/bcH/Rf0rXREITX4puge94C1 eiWdXmqgWlPNjTsPRcGdzC1VWWFSaiGVz24l9pSQoylFjq2exptkzcuzO7jPnUK5 px9XoVIPUwbZ+N7v/YC3jgo2kxO30/1AdW0RcaaZqDmBtH3XVt6xYOTMpNXez6aK ycfIK2xk3LeGwByQA3K5Ap6Nll3MzGC9FEEntafNV7tY5iWupBX8Yjy88NxyN6lH tsiDmD2hv/BstspljJyi5edO/9Sd0R1FprGs/nwD/yMQx/yFsWIk2JWQ8hUeZhi4 LRLLCEY3fF4POz00FWlM4OCqUrF/UHkuJSIiOgXMVRzXgT7U0SNwX8Ap7kmSN9K6 FGY= =kM13 -----END PGP SIGNATURE----- --=-=-=-- From unknown Sat Jun 21 12:22:56 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Wed, 14 Jul 2021 11:24:08 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator