On Fri, 2003-10-24 at 23:45, Martin Stone Davis wrote:
> If you change your listenport before switching to the new network fork
> (as was recommended), this isn't necessary, right?
>
> -Martin
There is some evidence that it is. Look on your Open Connections page.
>
> On Fri, 2003-10-24 at 23:35, Conrad J. Sabatier wrote:
> On Fri, Oct 24, 2003 at 10:50:13PM -0400, Edward J. Huff wrote:
> > Attached is a firewall script which excludes nodes I suspect are
> > running protocol version 1.46.
>
> Maybe I'm missing something here, but...
>
> If you've done as suggested and changed your listenPort setting for the
> unstable net, and are only allowing connections to *that* port in your
> firewall, then why the need for all of this?
No I didn't change listenPort. That firewall is on a different machine
and I didn't bother to change it. The reason I posted the script is
that I saw on #FreeNet that many people are getting connections from
1.46 nodes even though they _did_ change listenPort. And other people
on #FreeNet cannot change listenPort for various reasons.
Also I wanted to establish that most of the high load was _not_
coming from 1.46 nodes. It isn't. I still have high load.
>
> This is why it's *so* much simpler (and safer) to run a "default-to-deny"
> firewall, only explicitly allowing the traffic you really want.
But you can't tell if the machine is running 1.46 until after it is
connected.
Attached is a better script that blocks only those machines which are
found to be running 1.46. I run this on the machine which runs Fred,
not on the external firewall machine. I fixed it so that it
would co-exist with other firewall rules, although my Freenet machine
doesn't have any other firewall.
-- Ed Huff
#!/bin/bash
iptables --table filter --delete INPUT -p tcp -j fn146
iptables --table filter --delete-chain fn146
iptables --table filter --new-chain fn146
iptables --table filter --insert INPUT 1 -p tcp -j fn146
rm -f fn146-current
touch fn146-current
while true; do
wget -O - http://localhost:8888/servlet/nodeinfo/networking/ocm?setLevel=1 2>/dev/null \
| grep '1\.46' \
| sed 's/:.*//; s/.*>//' \
| sort -u > fn146-updates
grep -v '[^0-9.]' fn146-updates \
| grep '[0-9.]' \
| grep -v -F -f fn146-current > fn146-newip
grep '[^0-9.]' fn146-updates \
| grep -v ' ' \
| dig -f - +short \
| grep '[0-9.]' \
| grep -v [^0-9.] \
| grep -v -F -f fn146-current >> fn146-newip
echo "New blacklisted IP's:" $(cat fn146-newip)
for ip in $(cat fn146-newip) ; do
iptables -t filter -I fn146 -p tcp -s $ip -j REJECT --reject-with tcp-reset
iptables -t filter -I fn146 -p tcp -d $ip -j REJECT --reject-with tcp-reset
done
cat fn146-newip >> fn146-current
iptables -t filter --list fn146 -n -v
sleep 300
done
_______________________________________________
Devl mailing list
[EMAIL PROTECTED]
http://dodo.freenetproject.org/cgi-bin/mailman/listinfo/devl
