[gentoo-user] iptables-1.8.1 build failure

Hello list, Today's update of iptables to 1.8.1 failed here because I didn't have USE=nftables set. After setting that in package.use it was fine. Before I submit a bug report, though, I'd like to understand one thing: $ grep nftables $(equery w iptables) IUSE="conntrack i

Re: [gentoo-user] iptables-1.8.1 build failure

On Wednesday, 24 October 2018 12:52:24 BST Neil Bothwick wrote: > On Wed, 24 Oct 2018 10:29:03 +0100, Peter Humphrey wrote: > > Today's update of iptables to 1.8.1 failed here because I didn't have > > USE=nftables set. After setting that in package.use it was fine.

Re: [gentoo-user] iptables-1.8.1 build failure

On Wednesday, 24 October 2018 15:30:06 BST Peter Humphrey wrote: > On Wednesday, 24 October 2018 12:52:24 BST Neil Bothwick wrote: > > On Wed, 24 Oct 2018 10:29:03 +0100, Peter Humphrey wrote: > > > Today's update of iptables to 1.8.1 failed here because I didn't have &

Re: [gentoo-user] iptables-1.8.1 build failure

On Wed, 24 Oct 2018 10:29:03 +0100, Peter Humphrey wrote: > Today's update of iptables to 1.8.1 failed here because I didn't have > USE=nftables set. After setting that in package.use it was fine. Before > I submit a bug report, though, I'd like to understand one thi

[gentoo-user] nftables, ip[6]tables and network namespaces

I have 2 questions about the new nftables in kernel 3.13. 1. Are network namespaces not yet supported in nftables? When I load a set of rules in another namespace with nftables, it affects the default namespace instead. The same thing worked perfectly with iptables/ip6tables. 2. What takes

[gentoo-user] Re: IPTables question... simple as possible for starters

shawn wilson gmail.com> writes: > Also see nftables: http://netfilter.org/projects/nftables/ Interesting read. http://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg http://upload.wikimedia.org/wikipedia/commons/d/dd/Netfilter-components.svg Where is the diagr

Re: [gentoo-user] [OT] Best *SIMPLE* firewall?

On Sat, Mar 3, 2018 at 7:55 PM, Walter Dnes wrote: > On Wed, Feb 28, 2018 at 04:40:37PM -0700, Grant Taylor wrote >> On 02/28/2018 02:15 PM, Walter Dnes wrote: >>> >>> Is there something besides iptables? >> >> nftables > > Assuming I just want f

Re: [gentoo-user] Re: IPTables question... simple as possible for starters

On Mon, Dec 30, 2013 at 1:04 PM, James wrote: > shawn wilson gmail.com> writes: > > >> Also see nftables: http://netfilter.org/projects/nftables/ > > Interesting read. > > http://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg > > h

Re: [gentoo-user] Kernel config for Docker

Andrew makes a good point that, of course, not all options will be relevant to a particular image or use case. The script is aimed to check for "full" compatibility. Having some reported as missing is by no means a deal breaker. Re nftables it's a very valid point as well. I t

Re: [gentoo-user] Kernel config for Docker

ns > a deal breaker. > > Re nftables it's a very valid point as well. I too use nftables instead > of iptables and, in general, anything that dares touch my rules I will > either disable the option for it to do so or, if that's not possible, > swiftly eradicate it off my sy

Re: [gentoo-user] [OT] Best *SIMPLE* firewall?

On 03/03/2018 05:55 PM, Walter Dnes wrote: Assuming I just want filtering, could I emerge nftables and unmerge iptables and have a functional firewall? Simplistically, yes. It's my understanding that iptables and nftables are two completely different firewalling technologies. So you

Re: [gentoo-user] Kernel config for Docker

On Sunday, 17 May 2020 00:58:54 BST Andrew Udvare wrote: > On 16/05/2020 13:12, Peter Humphrey wrote: > > I can't find any of those. Any clues for the uninitiated? > > I am running Docker fine on 5.6.12 and I am missing a lot: --->8 > In regards to NF options, I use

Re: [gentoo-user] [OT] Best *SIMPLE* firewall?

On Wed, Feb 28, 2018 at 04:40:37PM -0700, Grant Taylor wrote > On 02/28/2018 02:15 PM, Walter Dnes wrote: > > Is there something besides iptables? > > nftables Assuming I just want filtering, could I emerge nftables and unmerge iptables and have a functional firewall? --

Re: [gentoo-user] [OT] Best *SIMPLE* firewall?

On 02/28/2018 02:15 PM, Walter Dnes wrote: Is there something besides iptables? nftables I think BPF may come into context here, but I've mostly ignored it, so I'm not sure. It seems to be like systemd/perl/python, continuously expanding its scope. What do you mean? I

Re: [gentoo-user] IPTables question... simple as possible for starters

ecase the "raw" table is just that: raw, unadulterated, unanalyzed >> > packets. The CPU assumes nothing, it merely tries to match well-known >> > fields' values. >> > >> >> And because nothing is assumed, you can't prepend a conntrack rul

Re: [gentoo-user] IPTables question... simple as possible for starters

ch well-known > > fields' values. > > > > And because nothing is assumed, you can't prepend a conntrack rule. I > can't think of why you'd ever want those packets (and I should > probably move at least those 4 masks to raw) but just an FYI - no > processing

Re: [gentoo-user] Shorewall6 kernel config

wo apparently different sets of IP filtering > >options. Do I need the NF set or the older one? > > This depends on whether shorewall uses the older iptables stack, or the > newer nftables one. I don't know much about shorewall, but according to > a quick

Re: [gentoo-user] Kernel config for Docker

missing - /dev/zfs: missing - zfs command: missing - zpool command: missing In regards to NF options, I use nftables and I manage the firewall manually for Docker (I set {"iptables": false} in /etc/docker/daemon.json). Docker has been extremely slow at adopting nftables. You

Re: [gentoo-user] Configure sshd to listen on specific interfaces?

ic interface. You can, however, work around this in a rather unusual way via ip/nftables and DNAT. You will need to enable IP[v6] forwarding via sysctl (or sysctl.conf): net.ipv4.ip_forward=1 net.ipv4.conf..route_localnet=1 The latter option is critical as, by default, the kernel will not

Re: [gentoo-user] [OT] Block multiple IP addresses; iptables or route...reject?

uld > be aggregated into small CIDRs. So the number of blocking rules is > greatly reduced. > > I'm not a deep networking expert. My question is whether I'm better > off adding iptables reject/drop rules or "reject routes", e.g... > If you want to filter co

Re: [gentoo-user] [SUSPECTED SPAM] [OT] Best *SIMPLE* firewall?

pull > in 90% of QT as dependancies. I fondly remember IPCHAINS. I don't know what you're looking for exactly. If you want a command line tool for configuring your firewall with an easier syntax than iptables you could try ufw. I don't know nftables, yet, but from what I read so

Re: [gentoo-user] IPTables question... simple as possible for starters

27;d ever want those packets (and I should probably move at least those 4 masks to raw) but just an FYI - no processing means no processing. Also see nftables: http://netfilter.org/projects/nftables/

Re: [gentoo-user] Shorewall6 kernel config

ether shorewall uses the older iptables stack, or the newer nftables one. I don't know much about shorewall, but according to a quick search online it seems to still rely on iptables. In that case, CONFIG_NETFILTER_XT_MATCH_STATE should be the correct option to use. I'm using nftable

Re: [gentoo-user] netfilter partial MAC filtering

t.  Does anybody know > of any common solutions for doing packet matching based on just part > of a MAC address on Linux?  Failing that, some advice about whether > the system daemon and packet inspection route or the netfilter module > route is more likely to be stable and maintainable wou

[gentoo-user] new linux router

yer 3, what is the best route (pun intended) to protect some winblows systems? And I need the ability to dynamically block some gaming sites (kids playing too many hours of video). Then I read about NFtables... [1] And there is more. So, being a bit busy what would folks recommend for pur

Re: [gentoo-user] new linux router

hanged. Dansguardian is deprecated? > If I add protection above layer 3, what is the best route (pun intended) > to protect some winblows systems? And I need the ability to dynamically > block some gaming sites (kids playing too many hours of video). > > Then I read about NFtab

RE: [gentoo-user] netfilter partial MAC filtering

a custom netfilter module. > > > > None of this seems particularly "fun" to sort out. Does anybody know > > of any common solutions for doing packet matching based on just part > > of a MAC address on Linux? Failing that, some advice about whether > > th

Re: [gentoo-user] To all IPv6-slackers among the Gentoo community

* Adam Carter: > when i enable v6, all my internal hosts become directly routable from > the Internet via the /56 my ISP assigns me. Even pretty anemic hardware can handle the demands of an IPv6 firewall, for example using iptables/nftables. The demands of IPV6-related processing should ac

[gentoo-user] net-analyzer/portsentry

to use to draw up some generic diagrams, a wee bit nicer than dia, would be keen suggestions too. Tripwire vs AIDE? Perhaps a iptables protecting the dmz systems and main gateway (single homed) but a nftables [2] based firewall/gw/router to the internal lan? Note: This is more of a project than

Re: [gentoo-user] new linux router

seems much has changed. Dansguardian is deprecated? >If I add protection above layer 3, what is the best route (pun >intended) >to protect some winblows systems? And I need the ability to dynamically >block some gaming sites (kids playing too many hours of video). > >Then I read abo

[gentoo-user] Re: new linux router

cated? If I add protection above layer 3, what is the best route (pun intended) to protect some winblows systems? And I need the ability to dynamically block some gaming sites (kids playing too many hours of video). Then I read about NFtables... [1] And there is more. So, being a bit busy

Re: [gentoo-user] Compilation problem iptables

uot;iptables-1.8.1 build failure". > Seems a dependency is missing in the ebuild. It's been fixed upstream and will be released in due course. Meanwhile, you can put 'net-firewall/iptables nftables' in /etc/portage/package.use, or a file under there if it's a directory. -- Regards, Peter.

Re: [gentoo-user] Compilation problem iptables

pendancies?! > > > > See the thread right next to yours, "iptables-1.8.1 build failure". > > Seems a dependency is missing in the ebuild. > > It's been fixed upstream and will be released in due course. Meanwhile, you > can put 'net-firewall/iptables

[gentoo-user] Re: Configure sshd to listen on specific interfaces?

t's the case. > You can, however, work around this in a rather unusual way via > ip/nftables and DNAT. Thanks, I should have known that was a problem that could be solved with netfilter. After all, netfilter is apparently turning-complete: http://sgros.blogspot.com/2011/09/implementing-turing-machine-using.html -- Grant

Re: [gentoo-user] [okey..] [OT] Best *SIMPLE* firewall?

n 90% > of QT as dependancies. I fondly remember IPCHAINS. Personally I like nftables (the iptables successor) more. Mostly the same, but in my eyes it's more convenient. There are plenty frontends, many of them in net-firewall/ in our tree ;) (I tried to use ufw some years ago, but I

Re: [gentoo-user] Choosing between system profiles: hardened and desktop for desktop installation.

haps there is a gentoo wiki page that at least outlines the manual processes (a structured approach) as users go down the pathway of stripping out what their workstation does not need in a kernel? Perhaps someone has a slick, home-spun, tool that readily identifies what can be additionally strippe

Re: [gentoo-user] To all IPv6-slackers among the Gentoo community

On 26/11/19 23:56, Ralph Seichter wrote: > * Adam Carter: > >> when i enable v6, all my internal hosts become directly routable from >> the Internet via the /56 my ISP assigns me. > > Even pretty anemic hardware can handle the demands of an IPv6 firewall, > for exam

Re: [gentoo-user] Re: How to hide a network interface from an application

solution, thank you for sharing. I had completely forgotten the fact that filtering can be done based on UID/GID. For the sake of completeness, here's the equivalent nftables solution for those, such as myself, who may have migrated (exclusively) to nft: table inet filter { chain ou

Re: [gentoo-user] New profiles 23.0

re proceeding? Oops, also add... net-firewall/iptables-1.8.10:0/1.8.3::gentoo [1.8.9:0/1.8.3::gentoo] USE="(split-usr) -conntrack -netlink -nftables -pcap -static-libs -test%" 627 KiB -- Roses are red Roses are blue Depending on their velocity Relative to you

[gentoo-user] firewall -> kernel hardlock error

ig" to check if changes were needed. Recompiled 3 different times, minor changes, same result. reinstalled iptables, nftables, and ran "perl-cleaner reallyall". Always locks up after rules compiled / starting to initialize iptables. The firewalls tried : arno-iptables-firewall,

[gentoo-user] Re: Profile listings

64 system (a dev board with graphics chip like 96board. I can install gentoo on that with a minimum number of packages. But let's say all I really want is IPtables (or nftables) and ssh. Surely the default profile has more than is need. So if everything not absolutely was stripped out, it&#

[gentoo-user] Re: Tails security implemetation

t look very closely. It might be that some of > the 1 - 1.5 year old issues are closed now. LikeWhoa's work did not get disseminated widely for quit a while, so you are not alone in missing persistence with usb and live installs. I'm not sure he is the first, but, his work here at gent

Re: [gentoo-user] New profiles 23.0

3.17-r2:0/8::gentoo USE="elogind kill ncurses nls (unicode) -modern-top (-selinux) (-split-usr*) -static-libs - systemd -test" ABI_X86="(64) -32 (-x32)" 0 KiB [ebuild R] sys-apps/shadow-4.14.2:0/4::gentoo USE="acl nls pam xattr - audit -cracklib (-selinux) -skey (-spl

Re: [gentoo-user] What is the best way forward? - Update 2 - SUCCESS! - CURRENT!!!

er a full backup runs tonight. I did end up removing a small list of packages that were blocking emerge in one way or another.  --  I decided that removing them to allow emerge to complete on it's own accord was more expedient than fighting them at the time.  I will re-add them as necess

Re: [gentoo-user] What is the best way forward? - Update 2 - SUCCESS! - CURRENT!!!

hat removing them to allow emerge to complete on it's own accord was more expedient than fighting them at the time. I will re-add them as necessary. - net-firewall/nftables - net-fs/ncpfs - media-gfx/gimp - dev-python/pycairo - dev-python/fido2 - net-analyzer/scapy - app-crypt/yubi

Re: [gentoo-user] What is the best way forward? - Update 2 - SUCCESS! - CURRENT!!!

m-%d -d "$(($age - 1)) days ago") $(date > > +%Y-%m-%d -d "$age days ago")) | read hash date time; time git > > checkout -b $date $hash; done > > > > Basically, this command starts at current; `stable`, and finds the > > first (most recent) commit