I think a protection can only let pass established connection through your iptables firewall and drop all ports used by known trojans. The best is to drop all trojanconnections (INPUT-, FORWARD- and OUTPUT-CHAIN).
1) "To only let pass an established connection"? Please explain how you imagine connections getting established as at that stage they are NOT yet established and no trafic will pass. 2) Code red is a worm and it's propagation does not relate to it also being a trojan.
3) There is no such thing as "all known ports" used by trojans.4) If you need security, you drop or reject every thing except what you require. 5) You must do so with regard to direction. And even that is of limited help as the more advanced trojans use various chat services to actively connect to from the inside out. 6) Many worms and trojans use legitimate ports AND the designated protocol along with it. Then they exploit some weekness in the server (or client) software (often buffer overflows) to make the software behave outside it's specification. Code red in fact uses http over port 80. In fact a mighty security suggestion: block port 80 towards your web-server.
Peter -- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@xxxxxxxx Security-related bug reports go to security@xxxxxxx, not here