Ummm... no. Wrong on both accounts. See Jeremy's post about source-routing for one method. The firewall rules are never bypassed, that's why you need rules to specifically allow "established" connections. It is also why when writing your rules you want to put those rules near the top so that established connections don't have to run the entire gamut of the ruleset to get an up/down vote on whether to accept. Now maybe some firewalls resort the rules to get this behavior, but I haven't seen this with any Linux software firewalls.
Actually, I think what David is thinking about is the PREROUTING chain in the Linux Netfilter nat table. It only checks the first packet of each stream.
<rant> Let's leave the "Ummm... No" out from now on. We're all learning here. I know it may sound stupid, but I find it rude. I went off on some guy last week about it - which I do feel bad about. I got a little out of line on one of my replies. Anyway, lets try and keep the respect for one another going here. Feel free to correct people, myself included, but lets try to keep it polite. </rant>
--- Jeremy Fowler wrote:
<rant> Let's leave the "Ummm... No" out from now on. We're all learning here. I know it may sound stupid, but I find it rude.
I quite agree. It seemed like a good idea at the time, but after reading it on the LUG I was sorry I did it. Another case of those 20/20 hindsight things. It was never intended to be rude, but I can see where that might be the impression. Now back to our regularly scheduled program.
Brian Jack D.
-
Jack -
Jeremy Fowler