https://chng.it/jJvMChbdsJ
вс, 26 дек. 2021 г., 02:13 linux_forum1 :
> Hello, I'm trying to make the most specific, secure and restrictive
> iptables possible for a simple VPN connection on Debian. Could you have a
> quick look if those are OK? Thanks so much!
>
> VPN Server Port:1194
>
> VPN Ser
Hello, I'm trying to make the most specific, secure and restrictive iptables
possible for a simple VPN connection on Debian. Could you have a quick look if
those are OK? Thanks so much!
VPN Server Port:1194
VPN Server IP: 189.174.135.110
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
#no fragme
firewall
Description: Binary data
--Ursprüngliche Nachricht-
Von: Jérémie Marguerie [mailto:jere...@marguerie.org]
Gesendet: Montag, 9. Dezember 2013 19:17
An: Hey, Lukas (KRZ)
Cc: Jordon Bedwell; Debian
Betreff: Re: End-user laptop firewall available?
On Mon, Dec 9, 2013 at 1:10 AM, Hey, Lukas (KRZ) wrote:
> I have a /64 network
On Mon, 2013-12-09 at 20:16 +0100, Javier Fernández-Sanguino Peña wrote:
> On Mon, Dec 09, 2013 at 09:41:34AM -0700, Jason Fergus wrote:
> >
> >
> > On Sat, 2013-12-07 at 10:55 -0600, Richard Owlett wrote:
> > > I chose phrasing of subject line to emphasize some peculiarities
> > > of my needs.
On Mon, Dec 09, 2013 at 09:41:34AM -0700, Jason Fergus wrote:
>
>
> On Sat, 2013-12-07 at 10:55 -0600, Richard Owlett wrote:
> > I chose phrasing of subject line to emphasize some peculiarities
> > of my needs.
> >
> > End-user emphasizes:
> >- I am *NOT* an expert
> >- my system is nev
On Mon, Dec 9, 2013 at 1:10 AM, Hey, Lukas (KRZ) wrote:
> I have a /64 network at home. Do you want to scan 2^64 IPs
> (18,446,744,073,709,551,616) to get the IP currently used by the laptop which
> is changed via the IPv6 privacy extension? The only machine having a fixed
> public IPv6 address
y
> *WITHOUT* any networking
>
> When connected to internet it will be:
>- primarily for browsing, email, Usenet
>- occasionally used for downloading small files using HTTP
> *NOT* (never?) FTP
>
The theory is if that's all you do on a Linux system, then you prob
y
> *WITHOUT* any networking
>
> When connected to internet it will be:
>- primarily for browsing, email, Usenet
>- occasionally used for downloading small files using HTTP
> *NOT* (never?) FTP
>
The theory is if that's all you do on a Linux system, then you prob
WiFi is also risky, even if the address space is private, if the
WiFi is run by a densely populated area people (or trojans running in
other people's devices) might want to see what "machines are out
there" in the WiFi and probe/attack them. I've seen this quite a lot
in public
wirklich ausgedruckt werden muss!
-Ursprüngliche Nachricht-
Von: envyge...@gmail.com [mailto:envyge...@gmail.com] Im Auftrag von Jordon
Bedwell
Gesendet: Montag, 9. Dezember 2013 09:25
An: Hey, Lukas (KRZ)
Cc: Debian
Betreff: Re: End-user laptop firewall available?
On Mon, Dec 9, 2013 at 2:12
ender
Bitte prüfen, ob diese Mail wirklich ausgedruckt werden muss!
-Ursprüngliche Nachricht-
Von: Jérémie Marguerie [mailto:jere...@marguerie.org]
Gesendet: Sonntag, 8. Dezember 2013 20:03
An: Riku Valli
Cc: Jordon Bedwell; Debian
Betreff: Re: End-user laptop firewall available?
On Sun
On Sun, Dec 8, 2013 at 9:56 AM, Riku Valli wrote:
> Thats true, but if we speaking about firewall rules. Every rule where
> source, destination or ports are any means at rule and firewall is most
> in cases a useless and this is true most in time a laptop/desktop.
>
> When som
babataz writes:
> Here some basic configuration for iptables :
If you want to configure these manually you need to also take care of
ip6tables. Debian listens on a link-local ipv6 address by default. It
can be accessed by anyone in the local network.
--
To UNSUBSCRIBE, email to debian-security
> to stop that and you couldn't even detect it, protect from it or
> anything, the hypervisor is the boss and it can do what it wants, and
> you are the guest so you have to play by the houses rules.
>
Thats true, but if we speaking about firewall rules. Every rule where
source,
On 12/08/2013 02:44 PM, Volker Birk wrote:
> On Sun, Dec 08, 2013 at 01:36:36PM +0100, Frédéric CORNU wrote:
>> What about the possibility of a malicious piece of software
>> beeing installed and starting listening to incomming connections
>> without the knownledge of the system user ?
>
> What
s I suggest you use a simple firewall tool (GUI-based) to setup a
basic firewall configuration.
Firewall tools to setup a simple firewall from the Desktop:
- Gufw, for GNOME. Available in Debian in the 'gufw' package.
https://help.ubuntu.com/community/Gufw
- Guarddog, for KDE. It i
Frédéric CORNU:
> Le 08/12/2013 11:34, Bastian Blank a écrit :
>> On Sat, Dec 07, 2013 at 10:55:30AM -0600, Richard Owlett wrote:
>>> Any help/direction appreciated.
>>
>> The answer is: None. If you don't have anything listen on the network,
>> nothing can be accessed anyway.
>>
>> Bastian
>>
>
>
Bastian Blank:
> On Sat, Dec 07, 2013 at 10:55:30AM -0600, Richard Owlett wrote:
>> Any help/direction appreciated.
>
> The answer is: None. If you don't have anything listen on the network,
> nothing can be accessed anyway.
Does Debian still come with open ports in a default installation?
--
On Sun, Dec 08, 2013 at 01:36:36PM +0100, Frédéric CORNU wrote:
> What about the possibility of a malicious piece of software beeing
> installed and starting listening to incomming connections without the
> knownledge of the system user ?
What about the possibility of a malicious piece of software
:
>The typical internet connection will be with a USB dial-up modem.
>When I desire to browse complex website or download a large set of
> files,
> I will carry it to a local library and use a WiFi connection.
>
> A couple months of reading has left me confused as to a sui
Le 08/12/2013 11:34, Bastian Blank a écrit :
> On Sat, Dec 07, 2013 at 10:55:30AM -0600, Richard Owlett wrote:
>> Any help/direction appreciated.
>
> The answer is: None. If you don't have anything listen on the network,
> nothing can be accessed anyway.
>
> Bastian
>
What about the possibility
>The answer is: None.
May I suggest a netstat -tulp to see listening services on this laptop ?
While outgoing connections can be discussed, incoming *should* be filtered.
Here some basic configuration for iptables :
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -
On Sat, Dec 07, 2013 at 10:55:30AM -0600, Richard Owlett wrote:
> Any help/direction appreciated.
The answer is: None. If you don't have anything listen on the network,
nothing can be accessed anyway.
Bastian
--
Where there's no emotion, there's no motive for violence.
-- Spock,
On 12/08/2013 04:13 AM, Jérémie Marguerie wrote:
> On Sat, Dec 7, 2013 at 4:03 PM, Anatoli Lichii wrote:
>> I use ufw/gufw
>
> A simple firewall configuration is to allow what goes out and only
> accept what comes in if it was initiated from your laptop
> ("establish
On Sat, Dec 7, 2013 at 4:03 PM, Anatoli Lichii wrote:
> I use ufw/gufw
A simple firewall configuration is to allow what goes out and only
accept what comes in if it was initiated from your laptop
("established"
connection).
--
Jérémie MARGUERIE
--
To UNSUBSCRIBE, email to de
; will be:
>The typical internet connection will be with a USB dial-up modem.
>When I desire to browse complex website or download a large
>set of files,
> I will carry it to a local library and use a WiFi connection.
>
>A couple months of reading has left me co
e complex website or download a large
set of files,
I will carry it to a local library and use a WiFi connection.
A couple months of reading has left me confused as to a suitable
firewall.
Any help/direction appreciated.
--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.o
ime it waits [ not exit with error].
> > I have simple firewall rule [ as per Rusty Russel ].
> > I found psad-alart says "P2P BitTorrent communication attempt" as
> > classtype: policy-violation with "iptables chain: INPUT (prefix
> > "Dropping:"
On Sun, Jul 18, 2010 at 11:05:03PM +0530, naths wrote:
> I failed to download by "btdownloadgui --responsefile ***.torrent".
> Rarely it works and do necessary download very slowly.
> Most time it waits [ not exit with error].
> I have simple firewall rule [ as per Rusty Ru
Hi,
I failed to download by "btdownloadgui --responsefile ***.torrent".
Rarely it works and do necessary download very slowly.
Most time it waits [ not exit with error].
I have simple firewall rule [ as per Rusty Russel ].
I found psad-alart says "P2P BitTorrent communicat
Hi,
I failed to download by "btdownloadgui --responsefile ***.torrent".
Rarely it works and do necessary download very slowly.
Most time it waits [ not exit with error].
I have simple firewall rule [ as per Rusty Russel ].
I found psad-alart says "P2P BitTorrent communicat
* Zachary Uram:
> iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
You should restrict RELATED to ICMP. For TCP and UDP, RELATED can
open up your internal network to the outside world (depending on what
firewall helpers you have loaded).
--
To UNSUBSCRIBE, email
2009/5/7 Zachary Uram :
> Hi,
>
> Running Debian lenny. I run a web server and try to keep all other
> ports closed. Would like to get some feedback on my firewall. If you
> have any suggestions for rules to add or other changes please let me
> know. Also what are some other ste
Hi,
Running Debian lenny. I run a web server and try to keep all other
ports closed. Would like to get some feedback on my firewall. If you
have any suggestions for rules to add or other changes please let me
know. Also what are some other steps I can take next to further
increase my security
Am 2008-01-31 10:02:41, schrieb Chris Ferguson:
> What about Firestarter? (www.fs-security.com). Is it a good solution to a
> personal use firewall?
END OF REPLIED MESSAGE
Maybe, but not as default.
What about installing D-I question whi
ut at least only those, which are REALY
> required and not more.
>
> > Many distros (RPM-based mostly from my experience) ask you during the
> > install if you'd like to enable firewall protection. I was curious if
> > debian was every going to have this as an option?
&
ired and not more.
> Many distros (RPM-based mostly from my experience) ask you during the
> install if you'd like to enable firewall protection. I was curious if
> debian was every going to have this as an option?
Sorry, but Debian is NOT a "install and do not ask questions" di
On Mon, Jan 28, 2008 at 06:43:27PM +0100, Florian Weimer wrote:
> > Debian has a policy to install as few network services as possible in a
> > default install and bind them to the loopback interface if possible.
>
> Where is this described in Policy?
Maybe 'policy' was a rather strict word. Actu
>> Please check out section 3.6 of the "Securing Debian Manual". IIRC:
>>
>> - a default install (i.e. one in which you just press "Enter" all the
>> way and
>> select no tasks) will get you OpenSSH, Exim and portmap, with Exim
>> bound to
>> the loopback interface.
>
> portmap is typically n
* Javier Fernández-Sanguino Peña:
> On Wed, Jan 23, 2008 at 11:22:41PM +0100, Florian Weimer wrote:
>> The daemon might have been installed by a package dependency, more or
>> less by accident. Debian should have a policy that all daemons bind to
>> the loopback interface by default, but as long
t as
>>> well. The Linux kernel isn't very efficient at processing firewall
>>> rules. Newer
>>
>> I thought it was very efficient in doing so. YMMV.
>
> Quite the contrary. It is *dog* *slow* for non-trivial firewalls.
It depends a lot on the traffic
a strict, but more open
policy, see https://wiki.ubuntu.com/DefaultNetworkServices
Notice, however that the list of network services in Ubuntu was further
reduced in the default install as it was (originally) more oriented toward
Desktop systems (and not fully UNIX systems)
Now they are even thinking on inc
Hello,
As Javier says:
> See
>
> http://www.debian.org/doc/manuals/securing-debian-howto/ch-sec-services..en.html#s-firewall-setup
> :
>
>
Just in case somebody doesn't notice, there is a typo in this URL
(double-dot), so I will post it correctly
http://www.debian.o
as removed since it
conflicted other firewall packages and it was decided (by the maintainer)
that it was better to just provide the tools and let the users select which
firewall-ruleset handling tool they wanted to use.
> Why is iptables installed by default and why is there no debian way to
> load
On Fri, 25 Jan 2008, Török Edwin wrote:
> If it is 2.6, I suggest you to contact the netfilter mailing list [1],
> and show them your firewall rules,
What makes you think they don't know about this? It is a design detail of
the way netfilter is implemented, and the two methods of acc
t, and from a DoS standpoint as
>>> well. The Linux kernel isn't very efficient at processing firewall
>>> rules. Newer
>>>
>> I thought it was very efficient in doing so. YMMV.
>>
>
> Quite the contrary. It is *dog* *slow* for non-triv
;t very efficient at processing firewall
>> rules. Newer
>
> I thought it was very efficient in doing so. YMMV.
Quite the contrary. It is *dog* *slow* for non-trivial firewalls. You have
to use a number of tricks to optimize the rule walk (many tables, hashing,
etc), and anything that
Hi
Little something on the side, while its in my mind.
If there was anything i would like to see, that is more of the netfilters patch
o matic's available in the kernel.
Hence, less need to wget patch o matic and to follow the process. Its not a big
task, but still, total time waster.
Anyway
Florian Weimer <[EMAIL PROTECTED]> writes:
> The daemon might have been installed by a package dependency, more or
> less by accident. Debian should have a policy that all daemons bind to
> the loopback interface by default, but as long as this is not the case,
> I can understand why people put p
this is the task of the user/admin, not the distro.
> On the other hand, at this stage, it's very difficult for Debian as a
> distribution to choose what firewall scripting framework should be used.
> (But I don't think this is worth the effort.)
ACK
I think this kind of p
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I believe Debian's method of handling iptables is perfect. if-up.d and its
counterparts provide a great means for scripting complex firewall sets.
For example, I have written a perl script that parses a custom config file
that defines certain IP
On the other hand, at this stage, it's very difficult for Debian as a
distribution to choose what firewall scripting framework should be used.
(But I don't think this is worth the effort.)
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
your server is seriously misconfigured.
Regards, Riku
Many distros (RPM-based mostly from my experience) ask you during the
install if you'd like to enable firewall protection. I was curious if
debian was every going to have this as an option?
One solution could be to have a folder
William Twomey wrote:
If this is needed/wanted to Debian, no problems, but remember obscure
isn't security.
With fwbuilder, lokkit (Gnome), kmyfirewall (kde) etc is very easy
made and maintain firewall/s at Linux and all of these are regular
Debian packages. That is true at there shou
On 23/01/08 18:48 +0200, Riku Valli wrote:
Debian haven't any open services by default, except portmapper and behind
portmapper aren't any services. So no need for host firewall.
Ack. I didn't want to argue pro a default
firewall.
regards, Rolf
--
...about the greatest d
If this is needed/wanted to Debian, no problems, but remember obscure
isn't security.
With fwbuilder, lokkit (Gnome), kmyfirewall (kde) etc is very easy
made and maintain firewall/s at Linux and all of these are regular
Debian packages. That is true at there should be more information
William Twomey wrote:
Debian haven't any open services by default, except portmapper and
behind portmapper aren't any services. So no need for host firewall.
But isn't it reasonable to assume that most people will be installing
services? Even a desktop user is likely to enabl
Michael Loftis wrote:
[snip]
It's better to leave the service disabled, or even better, completely
uninstalled from a security standpoint, and from a DoS standpoint as
well. The Linux kernel isn't very efficient at processing firewall
rules. Newer kernels might be though (I honest
> 22ssh, 23ftp, etc. with iptable rules in each file.
This is IMHO nonsence. Why to firewall ports where nothing listens?
This would not give you anything.
> You could also have
> an 'ENABLED' variable like some files in /etc/default have (so that
> ports wouldn't be op
Rolf Kutz wrote:
On 23/01/08 08:29 -0700, Michael Loftis wrote:
It's better to leave the service disabled, or even better, completely
uninstalled from a security standpoint, and from a DoS standpoint as
well. The Linux kernel isn't very efficient at processing firewall
rules.
On Wed, Jan 23, 2008 at 08:29:25AM -0700, Michael Loftis wrote:
>
> It's better to leave the service disabled, or even better, completely
> uninstalled from a security standpoint, and from a DoS standpoint as well.
> The Linux kernel isn't very efficient at processing
On 23/01/08 08:29 -0700, Michael Loftis wrote:
It's better to leave the service disabled, or even better, completely
uninstalled from a security standpoint, and from a DoS standpoint as well.
The Linux kernel isn't very efficient at processing firewall rules. Newer
I thought i
and similar
things) are not enabled by default.
There was atleast at some point I believe evidence that some
platforms/firewalls didn't play well with SYN cookies. I could be wrong.
Many distros (RPM-based mostly from my experience) ask you during the
install if you'd like to enabl
On Jan 23, 2008 4:19 PM, William Twomey <[EMAIL PROTECTED]> wrote:
> One solution could be to have a folder called /etc/security/iptables
> that contains files that get passed to iptables at startup (in the same
> way /etc/rc2.d gets read in numeric order). So you could have files like
> 22ssh, 23f
om my experience) ask you during the
install if you'd like to enable firewall protection. I was curious if
debian was every going to have this as an option?
One solution could be to have a folder called /etc/security/iptables
that contains files that get passed to iptables at startup (in the same
Jorge Escudero un jour écrivit:
I have the Firewall with woody and I never had got any security problem.
Is it risky to still using this version?
For a firewall, you need to at least upgrade the kernel and patch +
recompile ssh and libssl. More library update are also needed if you also
On Wed, Oct 17, 2007 at 05:23:53PM +0200, Florian Weimer wrote:
> * Jorge Escudero:
>
> > I have the Firewall with woody and I never had got any security problem.
> > Is it risky to still using this version?
> > Do I have to upgrade the version any time a new one is relea
On Wed, Oct 17, 2007 at 06:44:31PM +0200, Florian Weimer wrote:
> >> > I have the Firewall with woody and I never had got any security problem.
> >> > Is it risky to still using this version?
> >> > Do I have to upgrade the version any time a new one is rele
>> > I have the Firewall with woody and I never had got any security problem.
>> > Is it risky to still using this version?
>> > Do I have to upgrade the version any time a new one is release?
>>
>> There have been some kernel issues which affect the IP
* Jorge Escudero:
> I have the Firewall with woody and I never had got any security problem.
> Is it risky to still using this version?
> Do I have to upgrade the version any time a new one is release?
There have been some kernel issues which affect the IP forwarding path
which may o
On Wed, Oct 17, 2007 at 03:37:04PM +0100, Steve Kemp wrote:
> On Wed Oct 17, 2007 at 11:05:58 -0300, Jorge Escudero wrote:
> > I have the Firewall with woody and I never had got any security problem.
> > Is it risky to still using this version?
>
> Yes.
>
>
On Wed Oct 17, 2007 at 11:05:58 -0300, Jorge Escudero wrote:
> I have the Firewall with woody and I never had got any security problem.
> Is it risky to still using this version?
Yes.
There have been no security updates released for Woody in over a
year, and that means there are lia
I have the Firewall with woody and I never had got any security problem.
Is it risky to still using this version?
Do I have to upgrade the version any time a new one is release?
thank you
Jorge Escudero
Buenos Aires
Argentina
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of
Hi,
here's a heavily updated firewall script. I have incorporated many of
the suggestions and ideas from the lists (especially debian-firewall).
Any further comments and improvement-suggestions are still very welcome!
Cheers, Uwe.
--
Uwe Hermann
http://www.hermann-uwe.de
http://w
Hi, I have posted my first firewall script previously.. this is basically
the same script but it is optimized..
#! /bin/bash
#modprobe ip_conntrack_FTP
### SYMBOLIC CONSTANTS ###
CONNECTION_TRACKING="1"
DHCP_CLIENT="1"
INTERNET="eth1"
LOOPBACK_INTERFACE="l
Hi!
On Tuesday 05 July 2005 14:00, Daniel Pittman wrote:
> /sbin/iptables -t filter -A in_world_http_s1 -p tcp --sport 1024:65535
> --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
> /sbin/iptables -t filter -A out_world_http_s1 -p tcp --sport 80 --dport
> 1024:65535 -m state --state ESTABL
t
> > filter -A out_world_http_s1 -p tcp --sport 80 --dport 1024:65535 -m state
> > --state ESTABLISHED -j ACCEPT
>
> IMHO, this is fairly redundant (and inefficient) unless you don't trust
> your firewall. (And in that case, why use it?) The examples of things
> that might
Michael Stone wrote:
On Tue, Jul 05, 2005 at 11:57:37PM +1000, Daniel Pittman wrote:
As to trusting the firewall, or not, there has been at least one bug
where attackers could manipulate the content of the conntrack expect
table remotely. Other bugs, local or remote, are not out of the
On Tue, Jul 05, 2005 at 11:57:37PM +1000, Daniel Pittman wrote:
As to trusting the firewall, or not, there has been at least one bug
where attackers could manipulate the content of the conntrack expect
table remotely. Other bugs, local or remote, are not out of the
question.
No they'r
ttp_s1 -p tcp --sport 80 --dport 1024:65535 -m
>> state --state ESTABLISHED -j ACCEPT
>
> IMHO, this is fairly redundant (and inefficient) unless you don't trust
> your firewall. (And in that case, why use it?) The examples of things
> that might require additional checking (e.g
ESTABLISHED -j ACCEPT
IMHO, this is fairly redundant (and inefficient) unless you don't trust
your firewall. (And in that case, why use it?) The examples of things
that might require additional checking (e.g., ftp data connection) are
arguably valid valid, but those are *RELATED* sessions
work through all of this is that i'm a
> Shorewall developer and would like to make sure it works in a way that
> makes security sense to other firewall users.
Sure. I am very glad to see y'all taking such an active interest in the
security of your package. It confirms my
27;m a
Shorewall developer and would like to make sure it works in a way that
makes security sense to other firewall users.
--
Paul
<http://paulgear.webhop.net>
--
Did you know? Using Microsoft Internet Explorer can make your computer
less secure. Find out more at <http://browsehappy.com>.
signature.asc
Description: OpenPGP digital signature
On 5 Jul 2005, Eloi Granado wrote:
> On Sunday, 3 de July de 2005 23:24, Paul Gear wrote:
>> Daniel Pittman wrote:
>>> It also tends to encourage "shortcuts" in the firewall, like accepting
>>> any RELATED/ESTABLISHED packets,
>>
>> Am i r
On Sunday, 3 de July de 2005 23:24, Paul Gear wrote:
> Daniel Pittman wrote:
> > It also tends to encourage "shortcuts" in the firewall, like accepting
> > any RELATED/ESTABLISHED packets,
>
> Am i right in understanding that you consider accepting
> RELATED/ES
eaning when he says:
> It also tends to encourage "shortcuts" in the firewall, like accepting
> any RELATED/ESTABLISHED packets, because each option in the
> configuration file is actually an "if" statement around a bit of hand
> crafted firewall.
and:
> Acceptin
allow them to
connect to the SMB server.
Firehol would, by default, not have permitted that -- they could have
created the 'RELATED' entry in the conntrack table, but the firewall
would (probably[1]) still have refuse it, because RELATED packets to
that specific port were not allowed.
On Mon, Jul 04, 2005 at 07:45:47PM +1000, Paul Gear wrote:
I mustn't be understanding you here. Isn't the very definition of
RELATED/ESTABLISHED that the packet is part of an established connection
to a service actually used?
RELATED and ESTABLISHED are two different things. You've defined
EST
Daniel Pittman wrote:
> ...
>>Am i right in understanding that you consider accepting
>>RELATED/ESTABLISHED packets a bad thing?
>
>
> No. Accepting *any* RELATED/ESTABLISHED packets is, though, if someone
> finds an attack to generate entries in the conntrack table. Like, say,
> the active FTP
On 4 Jul 2005, KC wrote:
[...]
> *nat
> :PREROUTING DROP [0:0]
> :POSTROUTING DROP [0:0]
> :OUTPUT DROP [0:0]
> COMMIT
I thought that using a policy of DROP in the nat tables would result in
anything that wasn't NAT-ed being prevented from passing through by
iptables.
I can't find any documenta
Hi,
My firewall script doesn't have a problem with it's rules it is just
missing something important because when firehol tries it it doesn't give
any significant errors. When I turn on my previous firewall it works fine.
The place I am working in is a remote place where I am ju
On 4 Jul 2005, Paul Gear wrote:
> Daniel Pittman wrote:
>> ...
>> Shorewall, like many firewall packages, gives you[1] a whole bunch of
>> configuration options, which turn on or off features in the pre-packaged
>> firewall you have.
>>
>> This tends to
Daniel Pittman wrote:
> ...
> Shorewall, like many firewall packages, gives you[1] a whole bunch of
> configuration options, which turn on or off features in the pre-packaged
> firewall you have.
>
> This tends to make it hard to do strange things like playing with DSCP
> t
On Sun, 03 Jul 2005 12:23:13 +0200, Daniel Pittman <[EMAIL PROTECTED]>
wrote:
Thanks a lot! It was really comprehensive!
And according to what you wrote - I'll stick with shorewall since it does
everything I need and it's easy to manage. On the other hand - I'll start
to learn iptables beca
On 3 Jul 2005, Jakub Sporek wrote:
> On Sun, 03 Jul 2005 05:07:02 +0200, Daniel Pittman <[EMAIL PROTECTED]>
> wrote:
>
>> I found that 'firehol' was quite a surprise to me -- not only didn't it
>> suck, it actually improved my hand-written firewall somewha
Daniel Pittman wrote:
> ...
>>>Finally, that is a pretty complex firewall script, and obviously
>>>somewhat hard to maintain. Maybe you would get better value for your
>>>time by using an existing firewall helper like 'firehol', or something,
>>>t
On Sun, 03 Jul 2005 05:07:02 +0200, Daniel Pittman <[EMAIL PROTECTED]>
wrote:
I found that 'firehol' was quite a surprise to me -- not only didn't it
suck, it actually improved my hand-written firewall somewhat.
Unlike everything else, it doesn't tell you to
Daniel Pittman <[EMAIL PROTECTED]> wrote:
> Sure, a lot of them suck. In fact, most of them *really* suck, in my
> opinion.
>
> I found that 'firehol' was quite a surprise to me -- not only didn't it
> suck, it actually improved my hand-written firewall so
Hi,
I am tring out firehol right now on a fresh optimized version of this
firewall that I decided to make from scratch. The damn thing still won't
work. I know I am missing something important in both these scripts because
in both cases it drops everything and my rules are not functioning a
1 - 100 of 701 matches
Mail list logo
