On 2/26/23 16:57, Genes Lists wrote:
Are you saying you block not only inbound SYN packets, but also outbound and/or every related, established connection?
This would mean you are unable to visit any EU website unless you first add that website's specific IP(s) to your outbound whitelist? That would also include of course the WKD web-server as well. If this is not the case then perhaps something else is going on.
As I said, just trying to understand what you're doing that may be causing a problem for you to pull a key from a web-server.
best
gene
Thanks for the reply Genes, I block just inbound connections from the blocked address ranges using the INPUT chain, all outbound addresses are available. (very unsophisticated approach) I'll look at using a finer toothed comb for handling only new and not related / established. That would solve the issue so long as the WKD traffic would be considered related / established. So the problem is the sync can contact wherever it is supposed to validate the keys from, but iptables will not let the machine on the other end talk back due to the DROP rule on the address range from the INPUT chain block. -- David C. Rankin, J.D.,P.E.