From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <guix-patches-bounces+larch=yhetil.org@gnu.org>
Received: from mp1 ([2001:41d0:8:6d80::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms0.migadu.com with LMTPS
	id 4Cb0Hcf+s2AOiQAAgWs5BA
	(envelope-from <guix-patches-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Sun, 30 May 2021 23:08:23 +0200
Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp1 with LMTPS
	id QIXWGMf+s2CBOQAAbx9fmQ
	(envelope-from <guix-patches-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Sun, 30 May 2021 21:08:23 +0000
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id D09EB1B434
	for <larch@yhetil.org>; Sun, 30 May 2021 23:08:22 +0200 (CEST)
Received: from localhost ([::1]:47676 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <guix-patches-bounces+larch=yhetil.org@gnu.org>)
	id 1lnSfV-0002Ob-HB
	for larch@yhetil.org; Sun, 30 May 2021 17:08:21 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:59142)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1lnSfD-0002OQ-ME
 for guix-patches@gnu.org; Sun, 30 May 2021 17:08:03 -0400
Received: from debbugs.gnu.org ([209.51.188.43]:48910)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1lnSfB-0004ze-SD
 for guix-patches@gnu.org; Sun, 30 May 2021 17:08:01 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1lnSfB-0005e7-MX
 for guix-patches@gnu.org; Sun, 30 May 2021 17:08:01 -0400
X-Loop: help-debbugs@gnu.org
Subject: [bug#48753] iptables example update
Resent-From: Eric Brown <ecbrown@ericcbrown.com>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: guix-patches@gnu.org
Resent-Date: Sun, 30 May 2021 21:08:01 +0000
Resent-Message-ID: <handler.48753.B.162240883921650@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: report 48753
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: 
To: 48753@debbugs.gnu.org
X-Debbugs-Original-To: guix-patches@gnu.org
Received: via spool by submit@debbugs.gnu.org id=B.162240883921650
 (code B ref -1); Sun, 30 May 2021 21:08:01 +0000
Received: (at submit) by debbugs.gnu.org; 30 May 2021 21:07:19 +0000
Received: from localhost ([127.0.0.1]:60456 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1lnSeU-0005d8-G0
 for submit@debbugs.gnu.org; Sun, 30 May 2021 17:07:19 -0400
Received: from lists.gnu.org ([209.51.188.17]:35142)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ecbrown@ericcbrown.com>) id 1lnSeL-0005cq-FM
 for submit@debbugs.gnu.org; Sun, 30 May 2021 17:07:17 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:59008)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <ecbrown@ericcbrown.com>)
 id 1lnSeL-0002KD-Ap
 for guix-patches@gnu.org; Sun, 30 May 2021 17:07:09 -0400
Received: from out3-smtp.messagingengine.com ([66.111.4.27]:46887)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <ecbrown@ericcbrown.com>)
 id 1lnSeJ-0004Ry-Iy
 for guix-patches@gnu.org; Sun, 30 May 2021 17:07:09 -0400
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43])
 by mailout.nyi.internal (Postfix) with ESMTP id 909C55C0045
 for <guix-patches@gnu.org>; Sun, 30 May 2021 17:07:06 -0400 (EDT)
Received: from mailfrontend1 ([10.202.2.162])
 by compute3.internal (MEProxy); Sun, 30 May 2021 17:07:06 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericcbrown.com;
 h=from:to:subject:date:message-id:mime-version:content-type; s=
 fm2; bh=LnEJw7NTCbAOM48mWoIVh/8bhdfoOYVoy7hf/9al8xk=; b=nIQqlzFh
 7q1bGOckJnRqNja8xotQpMAQxqRlo88kRZ1iF/2l1vDTPFdPdAmAz2BTcqn7am+u
 vVQxaeju5HRZyt8yY9nFkRM/mkfe3YFxl2tdlLeouF3XnaJszOL8kFgEnKlFzgkh
 PfNuV8Y6SbCxRDHgmi99zmkneBmVem3TqECrnWgvuAQC6oN0MP6CImUS7rINR8uC
 TDRzVqzO4M5OzK9txqpHiI39NKY4dBue4IPAgeHU6twXBTZUgjeFAmM8bzpjuKP4
 zw0yweaxNNwYtrkHpYMWMXl0D+3fnyd4oO9CwK8P3Zg/gPZagLAo3woo9u3llP5j
 7w2ydWSs15d5Fw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=content-type:date:from:message-id
 :mime-version:subject:to:x-me-proxy:x-me-proxy:x-me-sender
 :x-me-sender:x-sasl-enc; s=fm2; bh=LnEJw7NTCbAOM48mWoIVh/8bhdfoO
 YVoy7hf/9al8xk=; b=i1RQVCXQxfNlzUat/a5mHPouHMSy3W0Sxt0D+0c6oKzAv
 5k3Q97Ur5emxbU5kJ/HP+JA/hgIxwFf5dNlLr7/0cbBQ7sQax396254xuoGHx7zD
 jlK8PYlN5blwEqyX+jAsREgsUYBPsWP2bSttBBDPvR7NS2KTDKFSyaDmCHMhzu2R
 j6kIH9Xy1ii1ymLIpH6ud5IiCURofoBNnF5nTbdu333w8/AcTCgAe/x3VRM35cSI
 OTzQxW96//mYR8wq+hCQDMXAyRG2hkwDarQs699C/CAOpe9DzSpe+ywjEb59vjPN
 jpT8vhDTNWpdU5uMinpdVQg04P7dYzmN+iePEHVXw==
X-ME-Sender: <xms:ev6zYMlY_hdUJliYpu8_UV2MbDIPVOUgKkASdrO6-KdckFU_uwn3fQ>
 <xme:ev6zYL1_UiqlCeTWYktl8_QjeZZabsK1o72XS6gWaDpvQuYaRkaF0XXL1BXYzzgP2
 XBKvLU9ZMevf6OxdQ>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrvdeluddgudehjecutefuodetggdotefrod
 ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh
 necuuegrihhlohhuthemuceftddtnecunecujfgurhephffvufffkfgfgggtsehmtderre
 dtredtnecuhfhrohhmpefgrhhitgcuuehrohifnhcuoegvtggsrhhofihnsegvrhhitggt
 sghrohifnhdrtghomheqnecuggftrfgrthhtvghrnhepuddtkeffgeeltdetvdeljeejhf
 dtgedvheelvedtueevudfffeffudfftddvkeegnecukfhppeelledrgeefrdduvdejrddu
 necuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhepvggtsg
 hrohifnhesvghrihgttggsrhhofihnrdgtohhm
X-ME-Proxy: <xmx:ev6zYKqJgMMoPFY2qOm4fo2ZHdpIosB3yfsI63sO16CMHJkAdAGVQg>
 <xmx:ev6zYInFBFO4vsfjmo-POReVAbLyH552aUW0t4zsVBRVt26lMr-zeg>
 <xmx:ev6zYK31EMe51oGU1RY5rLdufLDl7OjFR9stFKg1JDoazNHv5AWjmw>
 <xmx:ev6zYLCzS0mG5Zi3Ossr5Gl3TBBW97bkfdtiGwSERRZx9WlDwiSvpg>
Received: from localhost (unknown [99.43.127.1])
 by mail.messagingengine.com (Postfix) with ESMTPA
 for <guix-patches@gnu.org>; Sun, 30 May 2021 17:07:06 -0400 (EDT)
From: Eric Brown <ecbrown@ericcbrown.com>
Mail-reply-to: Eric Brown <ecbrown@ericcbrown.com>
Mail-followup-to: Eric Brown <ecbrown@ericcbrown.com>
Date: Sun, 30 May 2021 22:07:07 +0100
Message-ID: <86lf7wue10.fsf@hurd.ericcbrown.com>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu)
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=-=-="
Received-SPF: pass client-ip=66.111.4.27; envelope-from=ecbrown@ericcbrown.com;
 helo=out3-smtp.messagingengine.com
X-Spam_score_int: -27
X-Spam_score: -2.8
X-Spam_bar: --
X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01,
 SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-BeenThere: guix-patches@gnu.org
List-Id: <guix-patches.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-patches>
List-Post: <mailto:guix-patches@gnu.org>
List-Help: <mailto:guix-patches-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=subscribe>
Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org
Sender: "Guix-patches" <guix-patches-bounces+larch=yhetil.org@gnu.org>
X-Migadu-Flow: FLOW_IN
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org;
	s=key1; t=1622408903;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:mime-version:mime-version:
	 content-type:content-type:resent-cc:resent-from:resent-sender:
	 resent-message-id:list-id:list-help:list-unsubscribe:list-subscribe:
	 list-post:dkim-signature; bh=LnEJw7NTCbAOM48mWoIVh/8bhdfoOYVoy7hf/9al8xk=;
	b=HshDf/1nXiwDNvi5+GkJtDiCMDsGnGfGK1+I4tYVN5i2+uqcj63Sq07iM5jLEoZREduVD5
	bfAZca0sipgfzASX+CXw9zGGvI7e+tgQACgLe3vbi4MiWsmgeGHsjZZXwgiG13fEDkEDIS
	oOD8X+t8bwi0r9Go5vvkYBU6MZGQx/gfcrKqeLA0WIyjMaoQ0+m7DLX9b9aVbHmdhLh8zb
	RSVwTNgPHmT6p2Vio6atJx7PK2lPkcpoAqLb/G01tobzDAvLUQEdK2zL50Ax7zr3SjYyrm
	OLn1rbsOuKxEbKo5KJsZoFbZYnE2pajH/t9ev4agyJjm6AJAw10nIcpwvqlupg==
ARC-Seal: i=1; s=key1; d=yhetil.org; t=1622408903; a=rsa-sha256; cv=none;
	b=cpWtzNWoceOpVgSZgqmrbj/j5MT26OTS7yxIghgeFKgZHugarh0gSn+DvTGb/EVo7KLnsG
	AhvueAiJxeiMU4gWI6ThufXNTGxAmD2hp8zJY9SIWcB2G8FQDcvAsGxZIBQ79TA9k+UikC
	p6tsTApBBRXFI32nkCu/eVxeHOAy7sCuAqSF75sUDWOvMWnkVgEUjFRtEFu4PJO0OCIZig
	LCRFSQ4OgubIf2L/ZxXFTw2mpohEm562ZdlWNZa06bF6CPdqmB5QZcFIc2H99QLisdj5aR
	DVl5zjTp5J3LezK8IXvRg/b+Qgyb4ZTKZtQRi6R49a2HaAXKRVQ2msaXLkbogw==
ARC-Authentication-Results: i=1;
	aspmx1.migadu.com;
	dkim=fail ("headers rsa verify failed") header.d=ericcbrown.com header.s=fm2 header.b=nIQqlzFh;
	dkim=fail ("headers rsa verify failed") header.d=messagingengine.com header.s=fm2 header.b=i1RQVCXQ;
	dmarc=none;
	spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org
X-Migadu-Spam-Score: -1.43
Authentication-Results: aspmx1.migadu.com;
	dkim=fail ("headers rsa verify failed") header.d=ericcbrown.com header.s=fm2 header.b=nIQqlzFh;
	dkim=fail ("headers rsa verify failed") header.d=messagingengine.com header.s=fm2 header.b=i1RQVCXQ;
	dmarc=none;
	spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org
X-Migadu-Queue-Id: D09EB1B434
X-Spam-Score: -1.43
X-Migadu-Scanner: scn0.migadu.com
X-TUID: X9E0IPzDEckO

--=-=-=
Content-Type: text/plain

Dear List,

I have often puzzled over the iptables example that is given in the Guix manual.

It seems that this rule would allow someone to ssh in, but would not
practically allow ssh *outward* because the session would not be able to
receive a response.

I've added what I think is a line that fixes the issue.

Best regards,
Eric


--=-=-=
Content-Type: text/x-diff
Content-Disposition: attachment;
 filename=0001-doc-Updated-iptables-example.patch
Content-Description: iptables update

>From 44faa84695a5df7a0a3c3a35520d70f255b9fe53 Mon Sep 17 00:00:00 2001
From: Eric Brown <ecbrown@ericcbrown.com>
Date: Sun, 30 May 2021 22:00:52 +0100
Subject: [PATCH] doc: Updated iptables example

* doc/guix.texi (iptables): Update iptables example to allow (functioning) outbound SSH
---
 doc/guix.texi | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/doc/guix.texi b/doc/guix.texi
index dc10e88123..71851ca0b1 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -16427,6 +16427,7 @@ configuration rejecting all incoming connections except those to the ssh port
 :INPUT ACCEPT
 :FORWARD ACCEPT
 :OUTPUT ACCEPT
+-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
 -A INPUT -p tcp --dport 22 -j ACCEPT
 -A INPUT -j REJECT --reject-with icmp-port-unreachable
 COMMIT
@@ -16435,6 +16436,7 @@ COMMIT
 :INPUT ACCEPT
 :FORWARD ACCEPT
 :OUTPUT ACCEPT
+-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
 -A INPUT -p tcp --dport 22 -j ACCEPT
 -A INPUT -j REJECT --reject-with icmp6-port-unreachable
 COMMIT
-- 
2.32.0.rc0


--=-=-=--