On Tue, May 01, 2007 at 04:50:54PM -0400, [EMAIL PROTECTED] wrote > RTFM didn't find anything useful and I know the rules worked before. > Help.
For what it's worth, I'm running linux-2.6.20-gentoo-r7 on the Dell. I went and did it "the hard way". I started by commenting out almost everything. Then I uncommented one chain at a time until I ran into an error. Then I commented out one rule at the end until the error disappeared. I found two sets of problems... 1) The working ruleset (on my main machine), starts off with... *filter :INPUT DROP :FORWARD DROP :OUTPUT DROP :DROP_LOG :ICMP_IN :PRIVATE :PRIVATE_LOG :TCP_IN :UDP_IN :UNSOLICITED Seems that the latest version does not like my own chains being declared this way. I got rid of the first batch of errors by switching the rules to... *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] -F -X -N DROP_LOG -N ICMP_IN -N PRIVATE -N PRIVATE_LOG -N TCP_IN -N UDP_IN -N UNSOLICITED The final remaining problem is with the 3 statements scattered through the rules... -A ICMP_IN -p icmp -m state --state NEW -j UNSOLICITED -A TCP_IN -p tcp -m state --state NEW -m tcp -j UNSOLICITED -A UDP_IN -p udp -m state --state NEW -j UNSOLICITED This works on the main system, with a slightly older kernel. On the Dell, running 2.6.20-r7, I have a whole bunch of stuff enabled in the kernel, including... [*] Network packet filtering framework (Netfilter) ---> <*> Netfilter Xtables support (required for ip_tables) Core Netfilter Configuration ---> <*> Netfilter Xtables support (required for ip_tables) <*> "conntrack" connection tracking match support <*> "state" match support IP: Netfilter Configuration ---> <*> IP tables support (required for filtering/masq/NAT) <*> Packet filtering In case someone's wondering... I don't want/need router functionality. I don't want/need NATing functionality. I don't want/need mangling or QOS or other fancy stuff. I just want a stinking firewall. What is the minimum I need to enable to get the above 3 statements to work? -- Walter Dnes <[EMAIL PROTECTED]> In linux /sbin/init is Job #1 Q. Mr. Ghandi, what do you think of Microsoft security? A. I think it would be a good idea. -- [EMAIL PROTECTED] mailing list
