Re: [BLFS Trac] #2813: Firewall defects

Tue, 27 Jan 2009 00:28:05 -0800 

#2813: Firewall defects
--------------------+-------------------------------------------------------
 Reporter:  Spinal  |       Owner:  blfs-b...@…                   
     Type:  defect  |      Status:  new                           
 Priority:  normal  |   Milestone:  6.4                           
Component:  BOOK    |     Version:  SVN                           
 Severity:  normal  |    Keywords:                                
--------------------+-------------------------------------------------------

Comment(by Spinal):

 Replying to [comment:1 bdu...@…]:
 > Replying to [ticket:2813 Spinal]:
 > > 1) echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
 > >
 > > '''DOESN'T WORK'''
 > > Probably the best thing we can do is adding this in rc.iptables:
 > > echo 0 > /proc/sys/net/ipv4/conf/default/send_redirects
 >
 > It looks like we should add a default everyplace we have an all line,
 but I think the issue is not really relevant in most cases.  It seems that
 it would only apply when adding a wifi card after the system is up and the
 firewall code has run.

 It means only one thing. Read docs. Please :-)

 We don't need to add default everyplace with "all" line.

 I repeat, read docs... (The references are in the ticket itself).

 If you don't want to read docs, just believe me. I know what I say.

 And this... "I think the issue is not really relevant in most cases."...
 This is really hard matter. You think? That's all? No need in checking
 anything, just because you think? Really funny.

 Bdubbs, I really respect you. I know you work hard on the book. But
 all that things... It's not just you.

 --

 P.S. There's one more issue with firewall. Here it is:
 {{{
 iptables -I INPUT -p tcp -m state --state INVALID \
   -j LOG --log-prefix "FIREWALL:INVALID"
 iptables -I INPUT -p tcp -m state --state INVALID -j DROP
 }}}
 It inserts DROP BEFORE (!) LOG. Therefore we never get something
 about invalid packets in the log. The solution is to substitude
 "iptables -I INPUT -p tcp -m state --state INVALID -j DROP" with
 "iptables -I INPUT 2 -p tcp -m state --state INVALID -j DROP".

 P.P.S. Bdubbs, don't resent. ;-)

-- 
Ticket URL: <http://wiki.linuxfromscratch.org/blfs/ticket/2813#comment:2>
BLFS Trac <http://wiki.linuxfromscratch.org/blfs>
Beyond Linux From Scratch
-- 
http://linuxfromscratch.org/mailman/listinfo/blfs-book
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page

Reply via email to