On several server systems, I encountered two dominant styles of iptables
firewall configurations:
The first one is blocking every INPUT
except the ports of provided services like HTTP.
The second one is blocking every INPUT
except packets for connections in NEW
state for several services, with elaborate settings and all packets for connections in ESTABLISHED
state. It is also blocking all OUTPUT
packets except those of connections in ESTABLISHED
state.
What kind of security does the latter provide that the first simple solution does not manage?
Of course it may be useful to block users using outgoing ports for their reason, but if I do not need to protect the server from it's own users, but only from outside threats, are both methods identical, or will the second still provide benefits?