On Thursday 24 May 2018 06:01 PM, Jonathan Wiltshire wrote:
> (CC because I'm not sure whether you're subscribed)
>
> On 23/05/18 11:36, Luke Hall wrote:>>> This morning a number of our
> jessie firewall servers received these updates.
2018-05-23 06:53:20,879 INFO Allowed origins are:
(CC because I'm not sure whether you're subscribed)
On 23/05/18 11:36, Luke Hall wrote:>>> This morning a number of our
jessie firewall servers received these updates.
>>>
>>> 2018-05-23 06:53:20,879 INFO Allowed origins are:
>>> ['origin=Debian,codename=jessie,label=Debian-Security']
>>> 2018-05-
On 23/05/18 11:36, Luke Hall wrote:
> I have just realised that jessie updates are still pre-lts so this may
> not be suitable for the list. Apologies if so..
Yes, debian-security@lists.debian.org would be more appropriate in this case.
Adding that to Cc. Full quote below.
Emilio
>> This morning
-projects.org/
[2] https://packages.debian.org/stable/ferm
On 04/04/2017 04:18 PM, Gustavo Lima wrote:
> Remembering that the correct command is ip6tables
>
> 2017-04-04 10:13 GMT-03:00 Gustavo Lima <mailto:ght...@gmail.com>>:
>
> 1) You must prohibit reserved external pre
Remembering that the correct command is ip6tables
2017-04-04 10:13 GMT-03:00 Gustavo Lima :
> 1) You must prohibit reserved external prefixes. Example: iptables -A
> INPUT -s 3dde::/16 -j DROP
> Among the reserved prefixes you will find: 2001:2::/48 (rfc 5156),
> 2001:10::/28 (rfc
1) You must prohibit reserved external prefixes. Example: iptables -A INPUT
-s 3dde::/16 -j DROP
Among the reserved prefixes you will find: 2001:2::/48 (rfc 5156),
2001:10::/28 (rfc 4843), 2001:db8::/32 (rfc 3849)
2) If you want to release to the local link ips: iptables -A INPUT -s
ff02::1 -j
I like this iptables script:
http://pingie.debus.free.fr/iptables/index.php
What I like about it is that it filters a lot of bad packets from getting
through and packets that are not supposed to be getting through the
firewall.
I have it loading as soon as my Ethernet device comes online.
What
On Fri, 31 Mar 2017 09:44:01 PM R Calleja wrote:
> can anybody help me. I have security issues and I have to reinstall
> the system every year.
> Set up a firewall with iptables as the attachment and now block
> connections as you can see in the dmesg attachment.
Debian-user is proba
Good morning,
can anybody help me. I have security issues and I have to reinstall
the system every year.
Set up a firewall with iptables as the attachment and now block
connections as you can see in the dmesg attachment.
Thank you very much, Roberto
[ 2423.851042] iptables denied: IN=eth0 OUT
Hello All, I have taken up to writing this bash script to change my
iptables rules. It seems the only issue I've found is that it seems to
not want to connect to certain websites at some moments and not
others, or generally but sometimes it let's it through without
changing anyt
ected) Which ipv6 range should we open for
> in iptables to have full access to security.debian.org over ipv6?
> (also ipv4 would be great but this doesnt seem to change .) we'd
> like to have the ip ranges so we can open for these, so we dont have
> to re lookup the domain/running the
* Stefan Eriksson:
> Hi now and again we get a timeout when looking up security.debian.org
> while running apt-get update. We have traced it to the ipv6's we
> get. It seems like they change (and as ipv6 have prio over ipv4 we are
> affected) Which ipv6 range should we open f
Hi now and again we get a timeout when looking up security.debian.org
while running apt-get update. We have traced it to the ipv6's we get. It
seems like they change (and as ipv6 have prio over ipv4 we are affected)
Which ipv6 range should we open for in iptables to have full acce
nftables a replacement for both
ipset and iptables.
Bjørn
--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
On Mon, 13 Jul 2009, Maik Holtkamp wrote:
> I decided to follow this and on the weekend iptables blocked about 70
> IPs. I am afraid that after some time the box will be DOSed by the
> crowded INPUT chain.
The only _real_ fix for that is to use IPSET (patch for netfilter) to deal
with
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi,
Maik Holtkamp wrote/schrieb @ 13.07.2009 11:12:
> tail -n -20 | sed "s/^-A/-D/" | \
s/tail/head/
Sorry.
- --
- - bye maik
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (MingW32)
Comment: Signature of Maik Holtkamp
iEYEARECAAYFAkpbA
> Every port scan attempt will result in a ban via iptables and every
> connection to port 22 will also result in a ban via iptables.
I decided to follow this and on the weekend iptables blocked about 70
IPs. I am afraid that after some time the box will be DOSed by the
crowded INPUT chain.
As
hi asif,did you find a solution to emulate diffrent nat type with iptables ?
cyril franke wrote:
Hello list,
I just started learning firewall setup with iptables
and found the following tutorial useful:
http://www.iptablesrocks.org/
The "canonical" tutorial is http://iptables-tutorial.frozentux.net/
--
To UNSUBSCRIBE, email to debian-sec
Sorry for the top post.
Can beat Oskar Andreasson's IPTables Tutorial
http://iptables-tutorial.frozentux.net/
Jim
Pierre Chifflier wrote:
On Wed, Jan 28, 2009 at 12:20:27PM +0100, cyril franke wrote:
Hello list,
I just started learning firewall setup with iptables
and foun
On Wed, Jan 28, 2009 at 12:20:27PM +0100, cyril franke wrote:
> Hello list,
>
> I just started learning firewall setup with iptables
> and found the following tutorial useful:
> http://www.iptablesrocks.org/
Hi,
Looks like a good idea.
>
> What do you think about the r
Hello list,
I just started learning firewall setup with iptables
and found the following tutorial useful:
http://www.iptablesrocks.org/
What do you think about the ruleset proposed for a
typical web server firewall?
http://www.iptablesrocks.org/guide/ruleset.php
What do you think about the
On Tue, Dec 09, 2008 at 03:05:59PM -0600, Bruno Wolff III wrote:
> On Tue, Dec 09, 2008 at 21:21:54 +0100,
> Carlos Carrero Gutierrez <[EMAIL PROTECTED]> wrote:
> > Hi, i use Iptables and i would like to find a tool or software in order
> > to see my open connections. I
iptstate -l
2 cents
-cg
> Subject: I need to see open connections this moment - With Iptables i can
> only see logs
> From: [EMAIL PROTECTED]
> To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED];
> debian-security@lists.debian.org
> Date: Tue, 9 Dec 2008 21:2
Hi,
Le mardi 09 décembre 2008 à 21:21 +0100, Carlos Carrero Gutierrez a
écrit :
> Hi, i use Iptables and i would like to find a tool or software in order
> to see my open connections. In doesn't care if it's a gui or not, and it
> can be not interactive (of course).
The mo
Bruno Wolff III wrote:
> On Tue, Dec 09, 2008 at 21:21:54 +0100,
> Carlos Carrero Gutierrez <[EMAIL PROTECTED]> wrote:
>> Hi, i use Iptables and i would like to find a tool or software in order
>> to see my open connections. In doesn't care if it's a gui or not
2008/12/9 Carlos Carrero Gutierrez <[EMAIL PROTECTED]>:
> Hi, i use Iptables and i would like to find a tool or software in order
> to see my open connections. In doesn't care if it's a gui or not, and it
> can be not interactive (of course).
>
> Wireshark capture pa
2008/12/9 Carlos Carrero Gutierrez <[EMAIL PROTECTED]>:
> Hi, i use Iptables and i would like to find a tool or software in order
> to see my open connections. In doesn't care if it's a gui or not, and it
> can be not interactive (of course).
>
> Wireshark capture pa
On Tue, Dec 09, 2008 at 21:21:54 +0100,
Carlos Carrero Gutierrez <[EMAIL PROTECTED]> wrote:
> Hi, i use Iptables and i would like to find a tool or software in order
> to see my open connections. In doesn't care if it's a gui or not, and it
> can be not interactive (of
What about "netstat -nputa | grep ESTABLISHED"?. If I have understood
correctly, that is what you need.
rgr
2008/12/9 Carlos Carrero Gutierrez <[EMAIL PROTECTED]>
>
> Hi, i use Iptables and i would like to find a tool or software in order
> to see my open connections.
On Tuesday 2008 December 09 14:21:54 Carlos Carrero Gutierrez wrote:
>Hi, i use Iptables and i would like to find a tool or software in order
>to see my open connections. In doesn't care if it's a gui or not, and it
>can be not interactive (of course).
Besides netstat, which wa
Hi, i use Iptables and i would like to find a tool or software in order
to see my open connections. In doesn't care if it's a gui or not, and it
can be not interactive (of course).
Wireshark capture paquets but i can't be constantly searching if a
paquet is correct or not.
Some
Hi,
it seems like you would like to implement destination NAT.
iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 6 -j
DNAT --to 192.168.2.5
Don't forget to create also rules to allow this network traffic in the
FORWARD chain if necessary.
best regards,
jochen
On Fri, 20
send to a 192.168.2.5 port 6...and viceversa
Someone knows what is the rule for iptables???
thanks
Hey Asif,
I am trying to do the same thing with the help of iptables the
NAT configuration and is able to simulate the NAT environment for Restricted
Cone and Full Cone.
I was wondering since their is no reply to your message on internet
regarding the same and I have found that I am
Le 8 juin 07 à 23:05, Repasi Tibor a écrit :
Joan Hérisson wrote:
Hello,
Config:
- Debian 2.4.18
- iptables with many rules
Problems:
- I have installed a tomcat 5.5 server. The server is unreachable
(connection failed from locahost or another host on my local
network).
Hey Joan,
how do
Joan Hérisson wrote:
Hello,
Config:
- Debian 2.4.18
- iptables with many rules
Problems:
- I have installed a tomcat 5.5 server. The server is unreachable
(connection failed from locahost or another host on my local network).
Hey Joan,
how do You installed tomcat? Because, if installed
get back anything for port 8080, then nothing is listening
on this port and you won't get any connection. (That's not completely
true, you could for example redirect ports in iptables, but I assume
that your iptables-script is not doing something like that.)
BTW: As others already wrote, you
0 LOGall -- * * 0.0.0.0/0
0.0.0.0/0 limit: avg 3/min burst 3 LOG flags 0 level 7 prefix
`IPT OUTPUT packet died: '
iptables will drop (and log) all outgoing packets?
So you cannot have a tcp connection if you are not
in one of the 3 named machi
Hi Joan,
On Thursday 07 June 2007 14:51:51 Joan Hérisson wrote:
> Hello,
>
> Config:
> - Debian 2.4.18
This is very old. For security and better features, you'd be best to upgrade
to a more recent version of Debian, with a more recent kernel.
>
. The 8080 port remains
closed. i did not try to upgrade my kernel. Actually, I am a little
bit frightened to this idea. is it really riskless ?
Finally this is the result of 'iptables -t filter -L -n -v' command:
Chain INPUT (policy DROP 17 packets, 1088 bytes)
pkts bytes targe
Il giorno Thu, 7 Jun 2007 15:51:51 +0200
"Joan Hérisson" <[EMAIL PROTECTED]> ha scritto:
> So I added this rule :
> "iptables -A tcp_packets -p TCP -i eth1 -s
> 0/0 --dport 8080 -j allowed"
> where e
Can you send the output of 'iptables -t filter -L -n -v ' to this mailing
list?
2007. június 7. 15.51 dátummal Joan Hérisson ezt írta:
> Hello,
>
> Config:
> - Debian 2.4.18
> - iptables with many rules
>
> Problems:
>
Joan Hérisson wrote:
Hello,
Config:
- Debian 2.4.18
- iptables with many rules
Problems:
- I have installed a tomcat 5.5 server. The server is unreachable
(connection failed from locahost or another host on my local network).
Tries:
- I have to open port 8080. I have this rule in /etc
On Thursday 07 June 2007 15:51, Joan Hérisson wrote:
> Hello,
>
> Config:
> - Debian 2.4.18
> - iptables with many rules
>
> Problems:
> - I have installed a tomcat 5.5 server. The server is
> unreachable
> (conn
On 6/7/07, Joan Hérisson <[EMAIL PROTECTED]> wrote:
Hello,
Config:
- Debian 2.4.18
- iptables with many rules
Problems:
- I have installed a tomcat 5.5 server. The server is unreachable
(connection failed from locahost or another host on my local network).
Tries:
- I have to ope
Hello,
Config:
- Debian 2.4.18
- iptables with many rules
Problems:
- I have installed a tomcat 5.5 server. The server is unreachable
(connection failed from locahost or another host on my local network).
Tries:
- I have to open
is if you want to block unknown computers with unknown
MAC-Adresses or unknown MAC-Adress/IP-Adress combinations and you add
a new host, then you have to add the new rule on every host in your
network.
For example on my router there is a chain like that:
[EMAIL PROTECTED]:~# iptables -nvL eth0_MAC
hey list,
im using two router to set up my internet connection and protect my home
network. the first is just a little router from avm and the second is a pIII
with linux and iptables. since the second box had some hardware trouble im
considering to use just the first router and add the
On Tuesday 13 February 2007 16:48:10 martin f krafft wrote:
> also sprach Felipe Figueiredo <[EMAIL PROTECTED]> [2007.02.13.1837 +]:
> > I am currently using 0.6.1-7 from backports, is this the
> > deprecated version you meant?
>
> Yes, but if you go through the trouble of creating the rules,
also sprach Felipe Figueiredo <[EMAIL PROTECTED]> [2007.02.13.1837 +]:
> I am currently using 0.6.1-7 from backports, is this the
> deprecated version you meant?
Yes, but if you go through the trouble of creating the rules, it
won't be very hard to migrate. I can help you then.
--
Please do
On Tuesday 13 February 2007 10:48:28 martin f krafft wrote:
> but do try to go with fail2ban from etch, since sarge's configuration is
> deprecated.
Can't do because of a dependecy hell over sarge's 2.4 being old enough.
Etch's fail2ban version is 0.7.5-2 and sarge doesn't even have it.
I am
also sprach Felipe Figueiredo <[EMAIL PROTECTED]> [2007.02.13.1238 +]:
> I would like to take further measures and add the offender's ip to
> a blacklist, in a similar way as fail2ban do to ssh, i.e., block
> access from it temporarily.
You can use fail2ban for this. Once you created the rules
Hello,
I get, on an almost daily basis, attempts of use of my mail server as a relay.
Since it (postfix) only accepts relay from authenticated clients (or from
local), these attempts are usually logged and denied.
I would like to take further measures and add the offender's ip to a
blacklist,
. Am I missing something?
Unfortunately, it's very common for an attacker to be able to watch
local traffic if you're on a hostile network with your laptop, for
example...
> I have a rule for spoofed localhost addresses, I took from someone else some
> time ago at top of my INPUT ch
gt;>
> >> net/ipv4/conf/ethN/log_martians=1
> > Are you sure? log_martians does just that, it _logs_ such
> > packets/attempts, but it does not prevent them (at least the kernel
> > docs don't say so).
> Yes, this option just logs them.
> But they get logged
Hi,
On Tue, May 23, 2006 at 10:01:46AM +0200, Rolf Kutz wrote:
> > > iptables -A INPUT -j ACCEPT -s 127.0.0.1 # local host
> > > iptables -A OUTPUT -j ACCEPT -d 127.0.0.1
> >
> > Correct me if I'm wrong, but I think this would also allow incoming
>
Hi,
On Tue, May 23, 2006 at 10:02:33PM -0400, Michael Stone wrote:
> (E.g., want to be able to test
> without the complexity of an encryption layer, don't want overhead of
> encrypting both sides of a local connection, etc.) Aside from that,
> yeah, ip addresses shouldn't be used for authentica
Matthew Palmer wrote:
>
> You need ebtables to manage bridge filtering, if I'm not mistaken.
>
Only if you want to do link layer filtering. iptables works fine on a
bridge.
You can use pretty much any iptables script if you modify it to leave
out the NAT rules and in the FORWARD
T or anything like that).
>
>I found a good Debian howto that describes this setup, but I was
>wondering if there is an iptables firewall script which is meant for
>that kind of setup. All iptables scripts I know are for NAT or Home
>Firewalling (including dialup etc).
>
>
>Th
Mike Dornberger <[EMAIL PROTECTED]> wrote:
>> > If I set up my firewall to accept only my local network (eg.
>> > -s 192.168.0.0/255.255.255.0) connecting to a port (eg. smtp), then
>> > anyone can spoof that too. So what's the point of creating rules? :)
>
> even if one can spoof the IP, he (= th
y if they come from the loopback
> interface. And you may want to discard packets coming from the internal
> network card, if they don't have an appropriate IP address.
I have a rule for spoofed localhost addresses, I took from someone else some
time ago at top of my INPUT chain:
iptables
t, no
> NAT or anything like that).
>
> I found a good Debian howto that describes this setup, but I was
> wondering if there is an iptables firewall script which is meant for
> that kind of setup. All iptables scripts I know are for NAT or Home
> Firewalling (including dialup etc).
Yo
http://www.securityview.org/building-a-snortenabled-linuxgateway.html is for a complete bridging router with snort as an IDS, just extend the iptables rules and you're done ;)RonaldOn 23 May, 2006, at 15:44, Christian Holler wrote:-BEGIN PGP SIGNED MESSAGE-Hash: SHA1Hello,I'm
On Tue, May 23, 2006 at 02:10:19PM +0200, marco.celeri wrote:
yes, i think this allow incoming spoofed traffic to eth0 (or it is
"martian?") but the response must follow what found in routing table ->
lo interfaces... am i wong?
Yes, but that doesn't necessarily help in the case of a single-pa
On Tue, May 23, 2006 at 04:20:58PM +0200, Uwe Hermann wrote:
On Tue, May 23, 2006 at 09:53:05AM +0200, LeVA wrote:
But if one can spoof 127.0.0.1, then one can spoof anything else, so creating
any rule with an ip address matching is useless.
Correct. IP-based authentication is inherently flawe
ebian howto that describes this setup, but I was
wondering if there is an iptables firewall script which is meant for
that kind of setup. All iptables scripts I know are for NAT or Home
Firewalling (including dialup etc).
Thanks in advance for useful hints.
Shorewall should do the trick just lo
Hi,
On Tue, May 23, 2006 at 09:53:05AM +0200, LeVA wrote:
> But if one can spoof 127.0.0.1, then one can spoof anything else, so creating
> any rule with an ip address matching is useless.
Correct. IP-based authentication is inherently flawed. If you want something
like that, use strong cryptogr
).
I found a good Debian howto that describes this setup, but I was
wondering if there is an iptables firewall script which is meant for
that kind of setup. All iptables scripts I know are for NAT or Home
Firewalling (including dialup etc).
Thanks in advance for useful hints.
Chris
-BEGI
2006. május 23. 10:06,
Rolf Kutz <[EMAIL PROTECTED]>
-> debian-security@lists.debian.org,:
> * Quoting LeVA ([EMAIL PROTECTED]):
> > > iptables -A INPUT -i lo -j ACCEPT
> > > iptables -A OUTPUT -o lo -j ACCEPT
> >
> > But if one can spoof 127.0
LeVA said:
> But if one can spoof 127.0.0.1, then one can spoof anything else, so
> creating any rule with an ip address matching is useless. No?
It's not totally useless but gives only a minor level of protection,
i.e. it helps against attacks without spoofing :)
> If I set up my firewall to ac
On Tue, May 23, 2006 at 02:04:13AM +0200, Uwe Hermann wrote:
[...]
>> iptables -A INPUT -j ACCEPT -s 127.0.0.1 # local host
>> iptables -A OUTPUT -j ACCEPT -d 127.0.0.1
> Correct me if I'm wrong, but I think this would also allow incoming
> traffic from 127.0.0.
On Tue, May 23, 2006 at 10:06:45AM +0200, Rolf Kutz wrote:
The script under scrutiny was intended for a
laptop. A router or firewall setup is something
different and should not route traffic with
spoofed addresses. rp_filter should catch this
easily, if you can use it. If not, an IP-based
rule i
Hi,
> > iptables -A INPUT -j ACCEPT -s 127.0.0.1 # local host
> > iptables -A OUTPUT -j ACCEPT -d 127.0.0.1
>
> Correct me if I'm wrong, but I think this would also allow incoming
> traffic from 127.0.0.1 to the eth0 interface. So somebody spoofing
> h
* Quoting Michael Stone ([EMAIL PROTECTED]):
> On Tue, May 23, 2006 at 10:06:45AM +0200, Rolf Kutz wrote:
> >The script under scrutiny was intended for a
> >laptop. A router or firewall setup is something
> >different and should not route traffic with
> >spoofed addresses. rp_filter should catch
* Quoting LeVA ([EMAIL PROTECTED]):
> > iptables -A INPUT -i lo -j ACCEPT
> > iptables -A OUTPUT -o lo -j ACCEPT
> >
> But if one can spoof 127.0.0.1, then one can spoof anything else, so creating
> any rule with an ip address matching is useless. No? If I set up my firew
* Quoting Uwe Hermann ([EMAIL PROTECTED]):
> > iptables -A INPUT -j ACCEPT -s 127.0.0.1 # local host
> > iptables -A OUTPUT -j ACCEPT -d 127.0.0.1
>
> Correct me if I'm wrong, but I think this would also allow incoming
> traffic from 127.0.0.1 to the e
2006. május 23. 02:04,
Uwe Hermann <[EMAIL PROTECTED]>
-> George Hein <[EMAIL PROTECTED]>,debian-laptop@lists.debian.org,
debian-security@lists.debian.org:
> > iptables -A INPUT -j ACCEPT -s 127.0.0.1 # local host
> > iptables -A OUTPUT -j ACCEPT -d 127.0.0.1
Hi,
On Mon, May 22, 2006 at 07:57:59AM -0400, George Hein wrote:
> Your iptables scares me a bit, do we really have to do all that stuff
> like "echo to /proc/sys/...". I was a TP professional many years ago
> but since the internet I have become a novice, thus running
; Personally, I prefer using sysctl -w instead of echo > /proc/sys. I
> prefer /etc/sysctl.conf further still.
Ok, this is a matter of taste, I guess. I would argue that echo is
available pretty much everywhere, but on the other hand sysctl should also
be available everywhere where you have
Hi,
You have FORWARD policy set to DROP (not by default but by rule) -> you don't
need "echo ... /ip_forward"
I don't like to log all what it drop, it can make full a partition and it is
not good :)
bye
> Your iptables scares me a bit, do we really have to do all
* Uwe Hermann ([EMAIL PROTECTED]) [060521 11:18]:
> echo 1 > /proc/sys/net/ipv4/ip_forward
> echo 0 > /proc/sys/net/ipv4/ip_forward
While I haven't yet gone through the actual content of the script, a
note of style preference:
Personally, I prefer using sysctl -w instead of echo > /proc/sys. I
p
Hi everyone,
this is crossposted to debian-laptop and debian-security, as I believe
it is relevant to both.
Today, I have heavily updated my (GPL'd) iptables script which I have been
using for quite a while now to secure my laptop (and various workstations).
The script is available from
Hello every one. I am having problem in setting up symmetric NAT using
IPTABLES
Actually I am working on SIP application. SIP has the problem on NATes
networks. STUN is one of the solutions. I have embedded STUN client
functionality inside SIP application. Now i have to test the
application
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
>>The first line does not includ "state Related, established" or "state
>>established"...
>>
>>Does it mean that all trafic will be allowed ?
>
> yes.
That is, if there are no 'hidden'
In article <[EMAIL PROTECTED]> you wrote:
> Chain INPUT (policy DROP)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere
> The first line does not includ "state Related, established" or "state
> established"...
>
> Does it
Hi all,
Just a little question about an Iptables config Extract.
Iptables -L returns me :
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- stationA anywhere
Adam Majer wrote:
This is not a newsgroup.
Sorry, I'm subscribed to so many usenet groups via
parallel-izing/synching mailing lists, I do lose track.
Martin
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Martin G.H. Minkler wrote:
Oh, and please take this thread to debian-firewall, I think although
it certainly is security-related, that newsgroup still is the better
choice for firewall questions :-)
This is not a newsgroup.
- Adam
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subjec
I think that if you are using a firewall you want security... but using
an old kernel version is a problem...
You need to get the newer kernel version at http://www.kernel.org ..
The more recently kernel version is 2.4.31 to iptables and 2.2.26 to
ipchains.
Iptables in my opinion is the most
Oh, and please take this thread to debian-firewall, I think although it
certainly is security-related, that newsgroup still is the better choice
for firewall questions :-)
Martin
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Alohá!
justme wrote:
I am new to IPChains and IPtables
welcome to the wonderful world of shooting Yourself in the foot ;-)
I don't know if it can change the IPCHAINS to something else?
with 'apt-get update && apt-get install iptables' You should be able to
ge
On Fri, Jun 03, 2005 at 04:31:30PM +0200, justme wrote:
> But I still have the Kernel 2.2.20-idepci
That's the 2.2 installer kernel. It doesn't have ipchains support.
install a real 2.2.20 kernel (apt-get install kernel-image and pick) or a
real 2.4.18 image (if you want iptabl
HI,
I am new to IPChains and IPtables
I have installed Debian woody but did upgrates and DIST upgrades
I don't know if it can change the IPCHAINS to something else?
But I still have the Kernel 2.2.20-idepci
I am totaly new to Firewalls and I am learnig with the IPCHAINS HOWTO
and w
Adrian Minta <[EMAIL PROTECTED]> writes:
> and a module ipt_limit.ko exist in the kernel directory ( 2.6.8-2-k7)
ipt_limit != ipt_connlimit
You are probably lacking kernel support for ipt_connlimit. It's not
part of the Linux kernel yet, and I guess the connlimit patch isn't in
Debian kernels ei
On Tue, 08 Mar 2005 00:42:01 +0100
Bernd Eckenfels <[EMAIL PROTECTED]> wrote:
> In article <[EMAIL PROTECTED]> you wrote:
> >> >server# iptables -A INPUT -p tcp --dport 80 -m connlimit
> >--connlimit-above > >3 -j REJECT --reject-with tcp-reset
>
> H
In article <[EMAIL PROTECTED]> you wrote:
>> >server# iptables -A INPUT -p tcp --dport 80 -m connlimit --connlimit-above
>> >3 -j REJECT --reject-with tcp-reset
Have you tried:
iptables -m connlimit -h
does it show the connlimit options?
BTW: my iptables manpage
On Mon, 07 Mar 2005 09:29:19 +0100
Guillaume Tournat <[EMAIL PROTECTED]> wrote:
> Adrian Minta a écrit :
>
> >Is iptables connlimit available in sarge ?
> >I try to limit incoming connection to my webserver:
> >
> >server# iptables -A INPUT -p tcp --dport 80
Adrian Minta a écrit :
Is iptables connlimit available in sarge ?
I try to limit incoming connection to my webserver:
server# iptables -A INPUT -p tcp --dport 80 -m connlimit --connlimit-above 3
-j REJECT --reject-with tcp-reset
the error:
iptables: No chain/target/match by that name
What I&#
Is iptables connlimit available in sarge ?
I try to limit incoming connection to my webserver:
server# iptables -A INPUT -p tcp --dport 80 -m connlimit --connlimit-above 3
-j REJECT --reject-with tcp-reset
the error:
iptables: No chain/target/match by that name
What I'm doing wrong ?
ipt
1 - 100 of 905 matches
Mail list logo
