* [EMAIL PROTECTED] [EMAIL PROTECTED] [2001.12.05 11:32:39+1000]:
I didn't know you couldn't use DNAT if you used Masquerading. Are you
sure?
think about it. masquerade is used when you have a single dynamic IP.
if you had multiple IPs, then you don't have a dynamic IP connection,
which means
also sprach Gareth Bowker [EMAIL PROTECTED] [2002.02.07.1017 +0100]:
If you're worried about missing stuff out, you could start with a firewall
that defaults everything to DROP and go from there...
good point. any-any-any-DROP is what i call the base firewall. there
is *no* argument for a
hi, my iptables config can be reduced to the following example, which
let's ssh pass and drops everything else.
iptables -P INPUT DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport ssh -j ACCEPT
iptables -A INPUT -j LOG
this works
also sprach Charlie Grosvenor [EMAIL PROTECTED] [2002.02.26.1657 +0100]:
I am trying to block smb going out of my network using the following
rules.
why not also block it coming in? i'd leave out the -o ppp0 bit below.
then there's nothing that can come in and nothing to go out.
iptables
also sprach Pedro P Sacristan Sanz [EMAIL PROTECTED] [2002.03.20.0847 +0100]:
If you don't want change anything at this time, may be you could use an
easy workaround if you are now using SSH in your firewall and web server:
if you use the -L option, you could start a SSH session from your
also sprach Urs Martini [EMAIL PROTECTED] [2002.10.08.0129 +0200]:
I got a problem with my new set up firewall: it crashes after some time!
What's crashes? What does it do?
Now before I get into details - is there anyone who's willing
to help myself fixing that problem _personally_?
Why?
but an insertion at
n+1.
--
Please do not CC me when replying to lists; I read them!
.''`. martin f. krafft [EMAIL PROTECTED]
: :' :proud Debian developer, admin, and user
`. `'`
`- Debian - when you have better things to do than fixing a system
Invalid/expired PGP subkeys? Use
to a n-linked list requires modification of 2n pointers.
--
Please do not CC me when replying to lists; I read them!
.''`. martin f. krafft [EMAIL PROTECTED]
: :' :proud Debian developer, admin, and user
`. `'`
`- Debian - when you have better things to do than fixing a system
Invalid
read them!
.''`. martin f. krafft [EMAIL PROTECTED]
: :' :proud Debian developer, admin, and user
`. `'`
`- Debian - when you have better things to do than fixing a system
Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver!
signature.asc
Description: Digital signature
. If your insertion requires you
to copy all elements, your implementation is wrong.
--
Please do not CC me when replying to lists; I read them!
.''`. martin f. krafft [EMAIL PROTECTED]
: :' :proud Debian developer, admin, and user
`. `'`
`- Debian - when you have better things to do
as
generic/cross-distro-usable as possible :-)
You do know that there are plenty firewall scripts for iptables
already, right?
--
Please do not CC me when replying to lists; I read them!
.''`. martin f. krafft [EMAIL PROTECTED]
: :' :proud Debian developer, admin, and user
?
--
Please do not CC me when replying to lists; I read them!
.''`. martin f. krafft [EMAIL PROTECTED]
: :' :proud Debian developer, admin, and user
`. `'`
`- Debian - when you have better things to do than fixing a system
Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver
.
--
Please do not CC me when replying to lists; I read them!
.''`. martin f. krafft [EMAIL PROTECTED]
: :' :proud Debian developer, admin, and user
`. `'`
`- Debian - when you have better things to do than fixing a system
Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver
also sprach Robert Vangel [EMAIL PROTECTED] [2004.08.19.0239 +0200]:
It isn't iptables, but you could try the redir package.
also, the iproute package.
--
Please do not CC me when replying to lists; I read them!
.''`. martin f. krafft [EMAIL PROTECTED]
: :' :proud Debian developer
!
.''`. martin f. krafft [EMAIL PROTECTED]
: :' :proud Debian developer, admin, user, and author
`. `'`
`- Debian - when you have better things to do than fixing a system
Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver!
signature.asc
Description: Digital signature
!
.''`. martin f. krafft [EMAIL PROTECTED]
: :' :proud Debian developer, admin, user, and author
`. `'`
`- Debian - when you have better things to do than fixing a system
Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver!
signature.asc
Description: Digital signature
also sprach Phil Dyer [EMAIL PROTECTED] [2005.03.15.1512 +0100]:
for INPUT, lose the conntrack.
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
why?
Also, please do not CC me on replies.
--
Please do not send copies of list mail to me; I read the list!
.''`. martin f. krafft
is the only other
one...
--
Please do not send copies of list mail to me; I read the list!
.''`. martin f. krafft [EMAIL PROTECTED]
: :' :proud Debian developer, admin, user, and author
`. `'`
`- Debian - when you have better things to do than fixing a system
Invalid/expired PGP
just fine (using REDIRECT in the OUTPUT
chain), but to rewrite the source, I need to use SNAT (I think),
which is only valid in POSTROUTING, and by that point in time it's
too late.
Thanks for any inputs.
--
Please do not send copies of list mail to me; I read the list!
.''`. martin f
also sprach David Schmitt [EMAIL PROTECTED] [2005.03.23.1222 +0100]:
try to fwmark the packages when REDIRECTing and use the mark on
POSTROUTING to SNAT too.
As I said, POSTROUTING is too late.
--
Please do not send copies of list mail to me; I read the list!
.''`. martin f. krafft
do not send copies of list mail to me; I read the list!
.''`. martin f. krafft [EMAIL PROTECTED]
: :' :proud Debian developer, admin, user, and author
`. `'`
`- Debian - when you have better things to do than fixing a system
Invalid/expired PGP subkeys? Use subkeys.pgp.net
over other distros.
--
Please do not send copies of list mail to me; I read the list!
.''`. martin f. krafft [EMAIL PROTECTED]
: :' :proud Debian developer, admin, user, and author
`. `'`
`- Debian - when you have better things to do than fixing a system
Invalid/expired PGP subkeys
transparent proxying for clients. Note that my question was
about local packets in the first place.
--
Please do not send copies of list mail to me; I read the list!
.''`. martin f. krafft [EMAIL PROTECTED]
: :' :proud Debian developer, admin, user, and author
`. `'`
`- Debian - when you
, rather than having
to `http_access allow all`, which is surely not what I want.
--
Please do not send copies of list mail to me; I read the list!
.''`. martin f. krafft [EMAIL PROTECTED]
: :' :proud Debian developer, admin, user, and author
`. `'`
`- Debian - when you have better
the list!
.''`. martin f. krafft [EMAIL PROTECTED]
: :' :proud Debian developer, admin, user, and author
`. `'`
`- Debian - when you have better things to do than fixing a system
Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver!
alles sollte so einfach, wie möglich
at 3128 have the
dynamic external IP as source, when they should have 127.0.0.1.
--
Please do not send copies of list mail to me; I read the list!
.''`. martin f. krafft [EMAIL PROTECTED]
: :' :proud Debian developer, admin, user, and author
`. `'`
`- Debian - when you have better things
also sprach Phil Dyer [EMAIL PROTECTED] [2005.03.28.0041 +0200]:
Martin, if/when you do find a solution, I hope you'll summarize to
the list. I find this problem quite interesting...
Certainly.
--
Please do not send copies of list mail to me; I read the list!
.''`. martin f. krafft
not send copies of list mail to me; I read the list!
.''`. martin f. krafft [EMAIL PROTECTED]
: :' :proud Debian developer, admin, user, and author
`. `'`
`- Debian - when you have better things to do than fixing a system
Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver
) Communication stategy:
Try explain _what_ you're trying to do, and _why_,
like you would to some new date's sceptical grandma.
I think you should re-read this thread from the beginning.
--
Please do not send copies of list mail to me; I read the list!
.''`. martin f. krafft [EMAIL
!
.''`. martin f. krafft [EMAIL PROTECTED]
: :' :proud Debian developer, admin, user, and author
`. `'`
`- Debian - when you have better things to do than fixing a system
Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver!
emacs sucks, literally, not an insult, just
is useful. AFAIK this is done
by a number of companies.
Let's just get down to answering questions and asking about
motivations when we're deadlocked and/or the question is
inconsistent, okay?
--
Please do not send copies of list mail to me; I read the list!
.''`. martin f. krafft [EMAIL
not send copies of list mail to me; I read the list!
.''`. martin f. krafft [EMAIL PROTECTED]
: :' :proud Debian developer, admin, user, and author
`. `'`
`- Debian - when you have better things to do than fixing a system
Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver
also sprach Dave Ewart [EMAIL PROTECTED] [2005.03.29.2237 +0200]:
http://lists.debian.org/debian-firewall/2005/03/msg00074.html
Yeah, that was me, wasn't it? ;-)
It's a small world, no? :)
--
Please do not send copies of list mail to me; I read the list!
.''`. martin f. krafft
[I sent this message to the netfilter list two days ago and have not
received a reply yet.
https://lists.netfilter.org/pipermail/netfilter/2006-March/065082.html
]
Hi,
I am somewhat baffled by a problem with a bunch of my machines.
I use the following rules there to limit SSH brute force
of your machines.
Nice! I'll verify this one of these days. Can I forward your email
to the netfilter list?
--
Please do not send copies of list mail to me; I read the list!
.''`. martin f. krafft [EMAIL PROTECTED]
: :' :proud Debian developer and author: http://debiansystem.info
of the functionality (or proc file
system entries) are currently rejected
wait, what? Has the netfilter team turned the stable concept around?
--
Please do not send copies of list mail to me; I read the list!
.''`. martin f. krafft [EMAIL PROTECTED]
: :' :proud Debian developer and author: http
also sprach martin f krafft [EMAIL PROTECTED] [2006.03.10.1507 +0100]:
Sounds like you are experiencing the timer overflow bug in
ipt_recent. On 32bit machines with HZ at 1000 (the default in 2.6),
you'll hit the bug after ~25 days of uptime. This could explain why
you're only seeing
also sprach martin f krafft [EMAIL PROTECTED] [2006.03.13.1103 +0100]:
I just rebooted one of the affected 32bit machines and the problem
remains... so I guess there are other issues...
I sure feel silly now. The blog post mentions the first rollover
after 5 minutes, so waiting for 5 minutes
persist? Is there some
Linux magic going on?
--
Please do not send copies of list mail to me; I read the list!
.''`. martin f. krafft [EMAIL PROTECTED]
: :' :proud Debian developer and author: http://debiansystem.info
`. `'`
`- Debian - when you have better things to do than fixing
the list!
.''`. martin f. krafft [EMAIL PROTECTED]
: :' :proud Debian developer and author: http://debiansystem.info
`. `'`
`- Debian - when you have better things to do than fixing a system
in a country where the sole employer is the state, opposition means
death by slow starvation
, but no mention over how long.
So, NetBSD... one step closer...
--
Please do not send copies of list mail to me; I read the list!
.''`. martin f. krafft [EMAIL PROTECTED]
: :' :proud Debian developer and author: http://debiansystem.info
`. `'`
`- Debian - when you have better things
the SYN bit set cannot be identified and thus has
no state. I seem to recall it was actually an iptables developer
who told me that INVALID = ALL - (ESTABLISHED + RELATED + NEW).
--
Please do not send copies of list mail to me; I read the list!
.''`. martin f. krafft [EMAIL PROTECTED
to me; I read the list!
.''`. martin f. krafft [EMAIL PROTECTED]
: :' :proud Debian developer and author: http://debiansystem.info
`. `'`
`- Debian - when you have better things to do than fixing a system
if you have built castles in the air, your work need not be lost;
that is where
-A INPUT -m conntrack --ctstate NEW -p tcp --syn -j open-tcp-ports
-A INPUT -m conntrack --ctstate NEW -p udp -j open-udp-ports
-A open-tcp-ports --dport 22 -j ACCEPT
...
?
--
Please do not send copies of list mail to me; I read the list!
.''`. martin f. krafft [EMAIL PROTECTED
.
... and I thought I had moderately understood this stuff.
--
Please do not send copies of list mail to me; I read the list!
.''`. martin f. krafft [EMAIL PROTECTED]
: :' :proud Debian developer and author: http://debiansystem.info
`. `'`
`- Debian - when you have better things to do than
!
.''`. martin f. krafft [EMAIL PROTECTED]
: :' :proud Debian developer and author: http://debiansystem.info
`. `'`
`- Debian - when you have better things to do than fixing a system
a cigarette a day will make you fly away.
signature.asc
Description: Digital signature (GPG/PGP)
ones I am overlooking?
How about One rule fails to load for obscure reasons. ?
iptables-restore, which is what I used, fortunately uses
a transaction to commit new rules.
--
Please do not send copies of list mail to me; I read the list!
.''`. martin f. krafft [EMAIL PROTECTED
47 matches
Mail list logo