drop and reject are not equivalent.
with _reject with icmpx_ you get an icmp response when trying to
access a system and get blocked by the firewall.
with _policy drop_ packets that are not allowed just get silently
dropped and don't give any feedback to the source.
In most cases it's a best pract
On Tue 12 Jul 2022, at 10:19, Maximiliano Estudies
wrote:
> drop and reject are not equivalent.
Fair enough
[...]
> In most cases it's a best practice to configure all chains with
> _policy drop_ and then add rules for the traffic that you want to
> allow
All the nftables and PF howtos I hav
On 2022-07-12 10:33, Gareth Evans wrote:
On Tue 12 Jul 2022, at 10:19, Maximiliano Estudies
In most cases it's a best practice to configure all chains with
_policy drop_ and then add rules for the traffic that you want to
allow
All the nftables and PF howtos I have found take this approach.
> On 12 Jul 2022, at 11:31, mick crane wrote:
> On 2022-07-12 10:33, Gareth Evans wrote:
>> On Tue 12 Jul 2022, at 10:19, Maximiliano Estudies
>
>>> In most cases it's a best practice to configure all chains with
>>> _policy drop_ and then add rules for the traffic that you want to
>>> allow
>
Ottavio Caruso wrote:
> On 11/07/2022 12:20, Dan Ritter wrote:
> > Ottavio Caruso wrote:
> > > On 11/07/2022 08:32, john doe wrote:
> > >
> > > > I'm looking for something cheap (max would be around 300 bucks), do you
> > > > have any suggestions/ideas?
> > >
> > >
> > > My local Cash-Converter
On Tue, 12 Jul 2022, Gareth Evans wrote:
> On Tue 12 Jul 2022, at 10:19, Maximiliano Estudies
> wrote:
>
>> drop and reject are not equivalent.
>
> Fair enough
>
> [...]
>> In most cases it's a best practice to configure all chains with
>> _policy drop_ and then add rules for the traffic that yo
> On 11 Jul 2022, at 17:48, Ram Ramesh wrote:
[...]
> . However, my new machine has this daemon running which notices that $extif
> does not have much activity and disables it after some timeout idle time.
> Today I noticed that my $extif is vanishing and /var/log/daemon.log shows
> some av
"Gareth Evans" writes:
> On Tue 12 Jul 2022, at 10:19, Maximiliano Estudies
> wrote:
>
>> drop and reject are not equivalent.
>
> Fair enough
>
> [...]
>> In most cases it's a best practice to configure all chains with
>> _policy drop_ and then add rules for the traffic that you want to
>> allo
El mar, 12 jul 2022 a las 14:13, Anssi Saari () escribió:
>
> "Gareth Evans" writes:
>
> > On Tue 12 Jul 2022, at 10:19, Maximiliano Estudies
> > wrote:
> >
> >> drop and reject are not equivalent.
> >
> > Fair enough
> >
> > [...]
> >> In most cases it's a best practice to configure all chains
rhkra...@gmail.com writes:
> I could not find (in the searching I did) equivalent functionality for IPv6,
> so
> I disabled IPv6 in hopes of keeping my systems (fairly) secure.
The equivalent to NAT in IPv6 is NAT, of course. It's not usually spoken
of much but for example my VPN provider does
On 7/12/22 05:36, Gareth Evans wrote:
On Tue 12 Jul 2022, at 10:19, Maximiliano Estudies
wrote:
[...]
Why is it best practice? Is there any security advantage over rejection?
Thanks,
Gareth
Absolutely. reject sends a msg back to the hacker that there is a machine
at that address.
drop sen
On 7/11/22, rhkramer wrote:
>
> From the peanut gallery: I disabled IPv6 quite some time ago. I don't
> recall how I did it, but I might have that information in my notes, somewhere.
>
> The reason that I disabled it (which might not be totally logical) is that
> in IPv4, I have always had my com
On 7/11/22 21:35, Tixy wrote:
On Mon, 2022-07-11 at 19:51 -0700, Peter Ehlert wrote:
[...]
I decided to try a fresh netinstall alongside and Boom:
===
multiple network interfaces
eno1: Intel Corporation Ethernet Connection (2) I218-LM
enp5s0: Intel Corporation 1210 Gigabit Network Connection
On Tue, 2022-07-12 at 05:35 +0100, Tixy wrote:
> On Mon, 2022-07-11 at 19:51 -0700, Peter Ehlert wrote:
> [...]
> >
> > I decided to try a fresh netinstall alongside and Boom:
> >
> > ===
> > multiple network interfaces
> >
> > eno1: Intel Corporation Ethernet Connection (2) I218-LM
> > enp5s0:
Stefan Monnier (12022-07-12):
> Except that if you contact an IP address where there's no machine, you
> may get a "no route to host" error (from the router that finds out
> there's no machine at that address), whereas if that machine DROPs, then
> you'll get no message, thus indicating that there
On Tue, Jul 12, 2022 at 11:31:11AM +0100, mick crane wrote:
> On 2022-07-12 10:33, Gareth Evans wrote:
> > On Tue 12 Jul 2022, at 10:19, Maximiliano Estudies
>
> > > In most cases it's a best practice to configure all chains with
> > > _policy drop_ and then add rules for the traffic that you want
On Tue 12 Jul 2022 at 15:44:41 (+0100), Tixy wrote:
> Another idea, is looking for that network name in the logs for the
> current boot.
>
> journalctl -b | grep -B3 enx00e04c534458
>
> That'll give you matches with the three lines before so you can see the
> context.
I'd use grep -B3 -A3 -i
Hello,
where should I report (or if possible) directly change the translation
of the packages description used by apt?
Which package is affected?
--
kind regards
Marco
On Tue, Jul 12, 2022 at 10:09:46AM -0400, gene heskett wrote:
> On 7/12/22 05:36, Gareth Evans wrote:
> > On Tue 12 Jul 2022, at 10:19, Maximiliano Estudies
> > wrote:
> [...]
> > Why is it best practice? Is there any security advantage over rejection?
> >
> > Thanks,
> > Gareth
> >
> Absolute
On Tue, Jul 12, 2022 at 11:27:41AM -0400, Henning Follmann wrote:
> On Tue, Jul 12, 2022 at 11:31:11AM +0100, mick crane wrote:
> > On 2022-07-12 10:33, Gareth Evans wrote:
> > > On Tue 12 Jul 2022, at 10:19, Maximiliano Estudies
> >
> > > > In most cases it's a best practice to configure all chai
On Tue, Jul 12, 2022 at 06:16:12PM +0200, to...@tuxteam.de wrote:
> On Tue, Jul 12, 2022 at 11:27:41AM -0400, Henning Follmann wrote:
> > On Tue, Jul 12, 2022 at 11:31:11AM +0100, mick crane wrote:
> > > On 2022-07-12 10:33, Gareth Evans wrote:
> > > > On Tue 12 Jul 2022, at 10:19, Maximiliano Estu
On Tue, Jul 12 2022 at 03:50:25 PM, Marco wrote:
> Hello,
> where should I report (or if possible) directly change the translation
> of the packages description used by apt?
> Which package is affected?
Package descriptions are part of the package itself. So you'd report it
as a bug on xwit. If
Le 12/07/2022 à 17:27, Henning Follmann a écrit :
On Tue, Jul 12, 2022 at 11:31:11AM +0100, mick crane wrote:
On 2022-07-12 10:33, Gareth Evans wrote:
On Tue 12 Jul 2022, at 10:19, Maximiliano Estudies
In most cases it's a best practice to configure all chains with
_policy drop_ and then add r
On 7/12/22 10:21, Lee wrote:
On 7/11/22, rhkramer wrote:
From the peanut gallery: I disabled IPv6 quite some time ago. I don't
recall how I did it, but I might have that information in my notes, somewhere.
The reason that I disabled it (which might not be totally logical) is that
in IPv4, I
On Tue, Jul 12, 2022 at 07:13:06PM +0200, Erwan David wrote:
[...]
> It depends on your settings. Personnally on a router I tend to Reject if the
> ICMP goes to the internal network, drop if it would be sent outside. That
> avoids some weird timeouts in the internal network (put your own definiti
Am Tue, 12 Jul 2022 21:17:40 +0200
schrieb :
> That looks like a sensible strategy to me.
It isn't at all, completely blocking incoming ICMP is a very stupid
idea.
ICMP is used for control messages, e.g. for Path MTU discovery.
The only IMCP message that can be blocked is echo request or echo
re
Hello,
On Mon, Jul 11, 2022 at 10:31:36PM -0400, rhkra...@gmail.com wrote:
> On Sunday, July 10, 2022 06:48:10 PM Andy Smith wrote:
> > Otherwise I'm afraid your claims about IPv6 so far have been quite
> > bizarre, on the level of "IPv6 ate my homework" or "my father was
> > killed by a 128
Hello Debian Users,
I am playing with jupyter-qtconsole in Xfce. Debian is Debain version 11.4.
When I launch a turple from the jupyter-qtconsole, I get a turtle console as
expected.
And I can move the turtle around. However, when I switch to another workspace
and
then come back to the workspac
On 7/11/22 11:30, Ram Ramesh wrote:
Experts,
I have a firewall machine built recently and it runs debian bullseye
(v11). It has two ethernet interfaces - one internal ($intf) and one
external ($extf). My external port runs dhclient to get its IP address
and internal port runs dnsmasq to pro
Hi,
In order to test my program I ran "make install".
This installed it into "/usr/local/{bin,lib}
So now in order to run the program I need to update
the ld library cache with "ldconfig".
Unfortunately it is not available by default and trying to
search for it produces following:
[code]
root@d
On Tue, Jul 12, 2022 at 08:52:47PM -0500, Igor Korot wrote:
> So now in order to run the program I need to update
> the ld library cache with "ldconfig".
>
> Unfortunately it is not available by default and trying to
> search for it produces following:
>
> [code]
> root@debian:/usr/local/lib#
It
On Tue 12 Jul 2022 at 20:52:47 (-0500), Igor Korot wrote:
> In order to test my program I ran "make install".
>
> This installed it into "/usr/local/{bin,lib}
>
> So now in order to run the program I need to update
> the ld library cache with "ldconfig".
>
> Unfortunately it is not available by
On Tue, Jul 12 2022 at 09:50:04 AM, Kushal Kumaran wrote:
> On Tue, Jul 12 2022 at 03:50:25 PM, Marco wrote:
>> Hello,
>> where should I report (or if possible) directly change the translation
>> of the packages description used by apt?
>> Which package is affected?
>
> Package descriptions are p
.Hi, ALL,
[code]
igor@debian:~/dbhandler/Debug$ ls -la /usr/local/lib/
total 156544
drwxr-xr-x 3 root root 4096 Jul 12 19:55 .
drwxr-xr-x 10 root root 4096 Jul 9 15:42 ..
-rw-r--r-- 1 root root8 Jul 12 19:52 libdbinterface.a
-rw-r--r-- 1 root root 1082702 Jul 12 19:53 libdbloa
On Tue 12 Jul 2022 at 21:48:08 (-0500), Igor Korot wrote:
> igor@debian:~/dbhandler/Debug$ ls -la /usr/local/lib/
> [ … ]
> drwxr-xr-x 3 root root 4096 Jul 9 16:52 python3.9
> 2. There is python 3.9 folder there
> I now I didn't install anything python specific and so the box
> should conta
On Tue, Jul 12, 2022 at 08:00:42PM +, Marco wrote:
> Am Tue, 12 Jul 2022 21:17:40 +0200
> schrieb :
>
> > That looks like a sensible strategy to me.
>
> It isn't at all, completely blocking incoming ICMP is a very stupid
> idea.
I didn't get that "blocking incoming ICMP" part. Just the "DROP
[//code]Hi,
On Tue, Jul 12, 2022 at 10:10 PM David Wright wrote:
>
> On Tue 12 Jul 2022 at 21:48:08 (-0500), Igor Korot wrote:
>
> > igor@debian:~/dbhandler/Debug$ ls -la /usr/local/lib/
> > [ … ]
> > drwxr-xr-x 3 root root 4096 Jul 9 16:52 python3.9
>
> > 2. There is python 3.9 folder ther
Am Tue, 12 Jul 2022 19:24:21 -0700
schrieb Kushal Kumaran :
> I re-read your message and realized I didn't notice that you were
> talking about translated description.
> https://www.debian.org/international/l10n/ddtp would appear to be a
> good starting point for that.
Thanks for your answer.
I c
Le 12/07/2022 à 22:00, Marco a écrit :
Am Tue, 12 Jul 2022 21:17:40 +0200
schrieb :
That looks like a sensible strategy to me.
It isn't at all, completely blocking incoming ICMP is a very stupid
idea.
ICMP is used for control messages, e.g. for Path MTU discovery.
The only IMCP message that
39 matches
Mail list logo
