ones I am overlooking?
How about One rule fails to load for obscure reasons. ?
iptables-restore, which is what I used, fortunately uses
a transaction to commit new rules.
--
Please do not send copies of list mail to me; I read the list!
.''`. martin f. krafft [EMAIL PROTECTED
the list!
.''`. martin f. krafft [EMAIL PROTECTED]
: :' :proud Debian developer and author: http://debiansystem.info
`. `'`
`- Debian - when you have better things to do than fixing a system
in a country where the sole employer is the state, opposition means
death by slow starvation
, but no mention over how long.
So, NetBSD... one step closer...
--
Please do not send copies of list mail to me; I read the list!
.''`. martin f. krafft [EMAIL PROTECTED]
: :' :proud Debian developer and author: http://debiansystem.info
`. `'`
`- Debian - when you have better things
the SYN bit set cannot be identified and thus has
no state. I seem to recall it was actually an iptables developer
who told me that INVALID = ALL - (ESTABLISHED + RELATED + NEW).
--
Please do not send copies of list mail to me; I read the list!
.''`. martin f. krafft [EMAIL PROTECTED
to me; I read the list!
.''`. martin f. krafft [EMAIL PROTECTED]
: :' :proud Debian developer and author: http://debiansystem.info
`. `'`
`- Debian - when you have better things to do than fixing a system
if you have built castles in the air, your work need not be lost;
that is where
-A INPUT -m conntrack --ctstate NEW -p tcp --syn -j open-tcp-ports
-A INPUT -m conntrack --ctstate NEW -p udp -j open-udp-ports
-A open-tcp-ports --dport 22 -j ACCEPT
...
?
--
Please do not send copies of list mail to me; I read the list!
.''`. martin f. krafft [EMAIL PROTECTED
.
... and I thought I had moderately understood this stuff.
--
Please do not send copies of list mail to me; I read the list!
.''`. martin f. krafft [EMAIL PROTECTED]
: :' :proud Debian developer and author: http://debiansystem.info
`. `'`
`- Debian - when you have better things to do than
!
.''`. martin f. krafft [EMAIL PROTECTED]
: :' :proud Debian developer and author: http://debiansystem.info
`. `'`
`- Debian - when you have better things to do than fixing a system
a cigarette a day will make you fly away.
signature.asc
Description: Digital signature (GPG/PGP)
persist? Is there some
Linux magic going on?
--
Please do not send copies of list mail to me; I read the list!
.''`. martin f. krafft [EMAIL PROTECTED]
: :' :proud Debian developer and author: http://debiansystem.info
`. `'`
`- Debian - when you have better things to do than fixing
also sprach martin f krafft [EMAIL PROTECTED] [2006.03.10.1507 +0100]:
Sounds like you are experiencing the timer overflow bug in
ipt_recent. On 32bit machines with HZ at 1000 (the default in 2.6),
you'll hit the bug after ~25 days of uptime. This could explain why
you're only seeing
also sprach martin f krafft [EMAIL PROTECTED] [2006.03.13.1103 +0100]:
I just rebooted one of the affected 32bit machines and the problem
remains... so I guess there are other issues...
I sure feel silly now. The blog post mentions the first rollover
after 5 minutes, so waiting for 5 minutes
[I sent this message to the netfilter list two days ago and have not
received a reply yet.
https://lists.netfilter.org/pipermail/netfilter/2006-March/065082.html
]
Hi,
I am somewhat baffled by a problem with a bunch of my machines.
I use the following rules there to limit SSH brute force
of your machines.
Nice! I'll verify this one of these days. Can I forward your email
to the netfilter list?
--
Please do not send copies of list mail to me; I read the list!
.''`. martin f. krafft [EMAIL PROTECTED]
: :' :proud Debian developer and author: http://debiansystem.info
of the functionality (or proc file
system entries) are currently rejected
wait, what? Has the netfilter team turned the stable concept around?
--
Please do not send copies of list mail to me; I read the list!
.''`. martin f. krafft [EMAIL PROTECTED]
: :' :proud Debian developer and author: http
!
.''`. martin f. krafft [EMAIL PROTECTED]
: :' :proud Debian developer, admin, user, and author
`. `'`
`- Debian - when you have better things to do than fixing a system
Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver!
emacs sucks, literally, not an insult, just
is useful. AFAIK this is done
by a number of companies.
Let's just get down to answering questions and asking about
motivations when we're deadlocked and/or the question is
inconsistent, okay?
--
Please do not send copies of list mail to me; I read the list!
.''`. martin f. krafft [EMAIL
not send copies of list mail to me; I read the list!
.''`. martin f. krafft [EMAIL PROTECTED]
: :' :proud Debian developer, admin, user, and author
`. `'`
`- Debian - when you have better things to do than fixing a system
Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver
also sprach Dave Ewart [EMAIL PROTECTED] [2005.03.29.2237 +0200]:
http://lists.debian.org/debian-firewall/2005/03/msg00074.html
Yeah, that was me, wasn't it? ;-)
It's a small world, no? :)
--
Please do not send copies of list mail to me; I read the list!
.''`. martin f. krafft
also sprach Phil Dyer [EMAIL PROTECTED] [2005.03.28.0041 +0200]:
Martin, if/when you do find a solution, I hope you'll summarize to
the list. I find this problem quite interesting...
Certainly.
--
Please do not send copies of list mail to me; I read the list!
.''`. martin f. krafft
not send copies of list mail to me; I read the list!
.''`. martin f. krafft [EMAIL PROTECTED]
: :' :proud Debian developer, admin, user, and author
`. `'`
`- Debian - when you have better things to do than fixing a system
Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver
) Communication stategy:
Try explain _what_ you're trying to do, and _why_,
like you would to some new date's sceptical grandma.
I think you should re-read this thread from the beginning.
--
Please do not send copies of list mail to me; I read the list!
.''`. martin f. krafft [EMAIL
at 3128 have the
dynamic external IP as source, when they should have 127.0.0.1.
--
Please do not send copies of list mail to me; I read the list!
.''`. martin f. krafft [EMAIL PROTECTED]
: :' :proud Debian developer, admin, user, and author
`. `'`
`- Debian - when you have better things
just fine (using REDIRECT in the OUTPUT
chain), but to rewrite the source, I need to use SNAT (I think),
which is only valid in POSTROUTING, and by that point in time it's
too late.
Thanks for any inputs.
--
Please do not send copies of list mail to me; I read the list!
.''`. martin f
also sprach David Schmitt [EMAIL PROTECTED] [2005.03.23.1222 +0100]:
try to fwmark the packages when REDIRECTing and use the mark on
POSTROUTING to SNAT too.
As I said, POSTROUTING is too late.
--
Please do not send copies of list mail to me; I read the list!
.''`. martin f. krafft
do not send copies of list mail to me; I read the list!
.''`. martin f. krafft [EMAIL PROTECTED]
: :' :proud Debian developer, admin, user, and author
`. `'`
`- Debian - when you have better things to do than fixing a system
Invalid/expired PGP subkeys? Use subkeys.pgp.net
over other distros.
--
Please do not send copies of list mail to me; I read the list!
.''`. martin f. krafft [EMAIL PROTECTED]
: :' :proud Debian developer, admin, user, and author
`. `'`
`- Debian - when you have better things to do than fixing a system
Invalid/expired PGP subkeys
transparent proxying for clients. Note that my question was
about local packets in the first place.
--
Please do not send copies of list mail to me; I read the list!
.''`. martin f. krafft [EMAIL PROTECTED]
: :' :proud Debian developer, admin, user, and author
`. `'`
`- Debian - when you
, rather than having
to `http_access allow all`, which is surely not what I want.
--
Please do not send copies of list mail to me; I read the list!
.''`. martin f. krafft [EMAIL PROTECTED]
: :' :proud Debian developer, admin, user, and author
`. `'`
`- Debian - when you have better
the list!
.''`. martin f. krafft [EMAIL PROTECTED]
: :' :proud Debian developer, admin, user, and author
`. `'`
`- Debian - when you have better things to do than fixing a system
Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver!
alles sollte so einfach, wie möglich
!
.''`. martin f. krafft [EMAIL PROTECTED]
: :' :proud Debian developer, admin, user, and author
`. `'`
`- Debian - when you have better things to do than fixing a system
Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver!
signature.asc
Description: Digital signature
!
.''`. martin f. krafft [EMAIL PROTECTED]
: :' :proud Debian developer, admin, user, and author
`. `'`
`- Debian - when you have better things to do than fixing a system
Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver!
signature.asc
Description: Digital signature
also sprach Phil Dyer [EMAIL PROTECTED] [2005.03.15.1512 +0100]:
for INPUT, lose the conntrack.
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
why?
Also, please do not CC me on replies.
--
Please do not send copies of list mail to me; I read the list!
.''`. martin f. krafft
is the only other
one...
--
Please do not send copies of list mail to me; I read the list!
.''`. martin f. krafft [EMAIL PROTECTED]
: :' :proud Debian developer, admin, user, and author
`. `'`
`- Debian - when you have better things to do than fixing a system
Invalid/expired PGP
as
generic/cross-distro-usable as possible :-)
You do know that there are plenty firewall scripts for iptables
already, right?
--
Please do not CC me when replying to lists; I read them!
.''`. martin f. krafft [EMAIL PROTECTED]
: :' :proud Debian developer, admin, and user
?
--
Please do not CC me when replying to lists; I read them!
.''`. martin f. krafft [EMAIL PROTECTED]
: :' :proud Debian developer, admin, and user
`. `'`
`- Debian - when you have better things to do than fixing a system
Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver
.
--
Please do not CC me when replying to lists; I read them!
.''`. martin f. krafft [EMAIL PROTECTED]
: :' :proud Debian developer, admin, and user
`. `'`
`- Debian - when you have better things to do than fixing a system
Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver
but an insertion at
n+1.
--
Please do not CC me when replying to lists; I read them!
.''`. martin f. krafft [EMAIL PROTECTED]
: :' :proud Debian developer, admin, and user
`. `'`
`- Debian - when you have better things to do than fixing a system
Invalid/expired PGP subkeys? Use
to a n-linked list requires modification of 2n pointers.
--
Please do not CC me when replying to lists; I read them!
.''`. martin f. krafft [EMAIL PROTECTED]
: :' :proud Debian developer, admin, and user
`. `'`
`- Debian - when you have better things to do than fixing a system
Invalid
read them!
.''`. martin f. krafft [EMAIL PROTECTED]
: :' :proud Debian developer, admin, and user
`. `'`
`- Debian - when you have better things to do than fixing a system
Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver!
signature.asc
Description: Digital signature
. If your insertion requires you
to copy all elements, your implementation is wrong.
--
Please do not CC me when replying to lists; I read them!
.''`. martin f. krafft [EMAIL PROTECTED]
: :' :proud Debian developer, admin, and user
`. `'`
`- Debian - when you have better things to do
also sprach Robert Vangel [EMAIL PROTECTED] [2004.08.19.0239 +0200]:
It isn't iptables, but you could try the redir package.
also, the iproute package.
--
Please do not CC me when replying to lists; I read them!
.''`. martin f. krafft [EMAIL PROTECTED]
: :' :proud Debian developer
also sprach Urs Martini [EMAIL PROTECTED] [2002.10.08.0129 +0200]:
I got a problem with my new set up firewall: it crashes after some time!
What's crashes? What does it do?
Now before I get into details - is there anyone who's willing
to help myself fixing that problem _personally_?
Why?
also sprach Pedro P Sacristan Sanz [EMAIL PROTECTED] [2002.03.20.0847 +0100]:
If you don't want change anything at this time, may be you could use an
easy workaround if you are now using SSH in your firewall and web server:
if you use the -L option, you could start a SSH session from your
also sprach Charlie Grosvenor [EMAIL PROTECTED] [2002.02.26.1657 +0100]:
I am trying to block smb going out of my network using the following
rules.
why not also block it coming in? i'd leave out the -o ppp0 bit below.
then there's nothing that can come in and nothing to go out.
iptables
hi, my iptables config can be reduced to the following example, which
let's ssh pass and drops everything else.
iptables -P INPUT DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport ssh -j ACCEPT
iptables -A INPUT -j LOG
this works
also sprach Gareth Bowker [EMAIL PROTECTED] [2002.02.07.1017 +0100]:
If you're worried about missing stuff out, you could start with a firewall
that defaults everything to DROP and go from there...
good point. any-any-any-DROP is what i call the base firewall. there
is *no* argument for a
* [EMAIL PROTECTED] [EMAIL PROTECTED] [2001.12.05 11:32:39+1000]:
I didn't know you couldn't use DNAT if you used Masquerading. Are you
sure?
think about it. masquerade is used when you have a single dynamic IP.
if you had multiple IPs, then you don't have a dynamic IP connection,
which means
47 matches
Mail list logo