ot; due to a bug
> > - the universe folds in on itself
> >
> >Are there any other ones I am overlooking?
>
> How about "One rule fails to load for obscure reasons." ?
iptables-restore, which is what I used, fortunately uses
a transaction to commit new rules.
--
Ple
ones I am overlooking?
--
Please do not send copies of list mail to me; I read the list!
.''`. martin f. krafft <[EMAIL PROTECTED]>
: :' :proud Debian developer and author: http://debiansystem.info
`. `'`
`- Debian - when you have better things to do th
yn
accept --dport ssh
drop
?
Thanks guys for your patience.
... and I thought I had moderately understood this stuff.
--
Please do not send copies of list mail to me; I read the list!
.''`. martin f. krafft <[EMAIL PROTECTED]>
: :' :proud Debian developer and
ck --ctstate NEW -p tcp --syn --dport 22 -j ACCEPT
Okay. So a good way to do this would be:
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m conntrack --ctstate NEW -p tcp --syn -j open-tcp-ports
-A INPUT -m conntrack --ctstate NEW -p udp -j open-udp-ports
-A open-tcp
copies of list mail to me; I read the list!
.''`. martin f. krafft <[EMAIL PROTECTED]>
: :' :proud Debian developer and author: http://debiansystem.info
`. `'`
`- Debian - when you have better things to do than fixing a system
"if you have built castl
ESTABLISHED or RELATED,
but does not have the SYN bit set cannot be identified and thus has
no state. I seem to recall it was actually an iptables developer
who told me that INVALID = ALL - (ESTABLISHED + RELATED + NEW).
--
Please do not send copies of list mail to me; I read the list!
.'
The FAQ does say
it's "after a failover" only, but no mention over how long.
So, NetBSD... one step closer...
--
Please do not send copies of list mail to me; I read the list!
.''`. martin f. krafft <[EMAIL PROTECTED]>
: :' :proud Debian develo
ies of list mail to me; I read the list!
.''`. martin f. krafft <[EMAIL PROTECTED]>
: :' :proud Debian developer and author: http://debiansystem.info
`. `'`
`- Debian - when you have better things to do than fixing a system
"in a country where the sol
ction persist? Is there some
Linux magic going on?
--
Please do not send copies of list mail to me; I read the list!
.''`. martin f. krafft <[EMAIL PROTECTED]>
: :' :proud Debian developer and author: http://debiansystem.info
`. `'`
`- Debian - when you have be
also sprach martin f krafft <[EMAIL PROTECTED]> [2006.03.13.1103 +0100]:
> I just rebooted one of the affected 32bit machines and the problem
> remains... so I guess there are other issues...
I sure feel silly now. The blog post mentions the first rollover
after 5 minutes, so w
also sprach martin f krafft <[EMAIL PROTECTED]> [2006.03.10.1507 +0100]:
> > Sounds like you are experiencing the timer overflow bug in
> > ipt_recent. On 32bit machines with HZ at 1000 (the default in 2.6),
> > you'll hit the bug after ~25 days of uptime. This coul
write"?
>
> Patches which don't change any of the functionality (or proc file
> system entries) are currently rejected
wait, what? Has the netfilter team turned the stable concept around?
--
Please do not send copies of list mail to me; I read the list!
.''`.
're only seeing this on some of your machines.
Nice! I'll verify this one of these days. Can I forward your email
to the netfilter list?
--
Please do not send copies of list mail to me; I read the list!
.''`. martin f. krafft <[EMAIL PROTECTED]>
:
[I sent this message to the netfilter list two days ago and have not
received a reply yet.
https://lists.netfilter.org/pipermail/netfilter/2006-March/065082.html
]
Hi,
I am somewhat baffled by a problem with a bunch of my machines.
I use the following rules there to limit SSH brute force attac
also sprach Dave Ewart <[EMAIL PROTECTED]> [2005.03.29.2237 +0200]:
> > http://lists.debian.org/debian-firewall/2005/03/msg00074.html
>
> Yeah, that was me, wasn't it? ;-)
It's a small world, no? :)
--
Please do not send copies of list mail to me; I read the
the
"if you give more detail, so will I" line.
--
Please do not send copies of list mail to me; I read the list!
.''`. martin f. krafft <[EMAIL PROTECTED]>
: :' :proud Debian developer, admin, user, and author
`. `'`
`- Debian - when you have better th
e
restrictions, so URL-based arbitration is useful. AFAIK this is done
by a number of companies.
Let's just get down to answering questions and asking about
motivations when we're deadlocked and/or the question is
inconsistent, okay?
--
Please do not send copies of list mail to me; I read t
ering framework (should be enough).
--
Please do not send copies of list mail to me; I read the list!
.''`. martin f. krafft <[EMAIL PROTECTED]>
: :' :proud Debian developer, admin, user, and author
`. `'`
`- Debian - when you have better things to do tha
...]
> ..now we're talking. ;o) Communication stategy:
> Try explain _what_ you're trying to do, and _why_,
> like you would to some new date's sceptical grandma.
I think you should re-read this thread from the beginning.
--
Please do not send copies of list mail
sons...
--
Please do not send copies of list mail to me; I read the list!
.''`. martin f. krafft <[EMAIL PROTECTED]>
: :' :proud Debian developer, admin, user, and author
`. `'`
`- Debian - when you have better things to do than fixing a system
Inv
also sprach Phil Dyer <[EMAIL PROTECTED]> [2005.03.28.0041 +0200]:
> Martin, if/when you do find a solution, I hope you'll summarize to
> the list. I find this problem quite interesting...
Certainly.
--
Please do not send copies of list mail to me; I read the list!
.'&#
or the reply from squid.
What?
Maybe we should just forget the details and someone can give me
a clear answer to: is it possible to rewrite both, source and
destination socket in locally generated, outgoing packets, *before*
a routing decision is made?
--
Please do not send copies of list ma
3128
This works. Problem is that the packets arriving at 3128 have the
dynamic external IP as source, when they should have 127.0.0.1.
--
Please do not send copies of list mail to me; I read the list!
.''`. martin f. krafft <[EMAIL PROTECTED]>
: :' :proud Debian deve
opies of list mail to me; I read the list!
.''`. martin f. krafft <[EMAIL PROTECTED]>
: :' :proud Debian developer, admin, user, and author
`. `'`
`- Debian - when you have better things to do than fixing a system
Invalid/expired PGP subkeys? Use subkeys.
t squid to source IP 127.0.0.1, rather than having
to `http_access allow all`, which is surely not what I want.
--
Please do not send copies of list mail to me; I read the list!
.''`. martin f. krafft <[EMAIL PROTECTED]>
: :' :proud Debian developer, admin, user, and a
or firewall building to
set up transparent proxying for clients. Note that my question was
about local packets in the first place.
--
Please do not send copies of list mail to me; I read the list!
.''`. martin f. krafft <[EMAIL PROTECTED]>
: :' :proud Debian dev
wizard" for the same reason that I prefer
Debian over other distros.
--
Please do not send copies of list mail to me; I read the list!
.''`. martin f. krafft <[EMAIL PROTECTED]>
: :' :proud Debian developer, admin, user, and author
`. `'`
`- Debian -
oxy settings.
--
Please do not send copies of list mail to me; I read the list!
.''`. martin f. krafft <[EMAIL PROTECTED]>
: :' :proud Debian developer, admin, user, and author
`. `'`
`- Debian - when you have better things to do than fixing a system
Invalid/expir
also sprach David Schmitt <[EMAIL PROTECTED]> [2005.03.23.1222 +0100]:
> try to fwmark the packages when REDIRECTing and use the mark on
> POSTROUTING to SNAT too.
As I said, POSTROUTING is too late.
--
Please do not send copies of list mail to me; I read the list!
.''`
riting just fine (using REDIRECT in the OUTPUT
chain), but to rewrite the source, I need to use SNAT (I think),
which is only valid in POSTROUTING, and by that point in time it's
too late.
Thanks for any inputs.
--
Please do not send copies of list mail to me; I read the list!
.'
file. ip_conntrack_expect is the only other
one...
--
Please do not send copies of list mail to me; I read the list!
.''`. martin f. krafft <[EMAIL PROTECTED]>
: :' :proud Debian developer, admin, user, and author
`. `'`
`- Debian - when you have better
also sprach Phil Dyer <[EMAIL PROTECTED]> [2005.03.15.1512 +0100]:
> for INPUT, lose the conntrack.
> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
why?
Also, please do not CC me on replies.
--
Please do not send copies of list mail to me; I read the list!
.'
ngs...
--
Please do not send copies of list mail to me; I read the list!
.''`. martin f. krafft <[EMAIL PROTECTED]>
: :' :proud Debian developer, admin, user, and author
`. `'`
`- Debian - when you have better things to do than fixing a system
Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver!
signature.asc
Description: Digital signature
st mail to me; I read the list!
.''`. martin f. krafft <[EMAIL PROTECTED]>
: :' :proud Debian developer, admin, user, and author
`. `'`
`- Debian - when you have better things to do than fixing a system
Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver!
signature.asc
Description: Digital signature
ng.
Sounds horrible.
--
Please do not CC me when replying to lists; I read them!
.''`. martin f. krafft <[EMAIL PROTECTED]>
: :' :proud Debian developer, admin, and user
`. `'`
`- Debian - when you have better things to do than fixing a system
Invalid/expired
ay with just one NIC?
--
Please do not CC me when replying to lists; I read them!
.''`. martin f. krafft <[EMAIL PROTECTED]>
: :' :proud Debian developer, admin, and user
`. `'`
`- Debian - when you have better things to do than fixing a system
Inval
tical
> approaches may occur, especially since I want to keep the script as
> generic/cross-distro-usable as possible :-)
You do know that there are plenty firewall scripts for iptables
already, right?
--
Please do not CC me when replying to lists; I read them!
.''`. mart
d
> to the iptables script called in /etc/ppp/ip-up by pppd.
Why do you care about your IP in the firewall rules? Use interface
matching instead!
--
Please do not CC me when replying to lists; I read them!
.''`. martin f. krafft <[EMAIL PROTECTED]>
: :
e inserted element).
I am talking about different things. If your insertion requires you
to copy all elements, your implementation is wrong.
--
Please do not CC me when replying to lists; I read them!
.''`. martin f. krafft <[EMAIL PROTECTED]>
: :' :proud Debian develop
o not CC me when replying to lists; I read them!
.''`. martin f. krafft <[EMAIL PROTECTED]>
: :' :proud Debian developer, admin, and user
`. `'`
`- Debian - when you have better things to do than fixing a system
Invalid/expired PGP subkeys? Use subkeys.pgp.
ist requires modification of n pointers.
Inserting to a n-linked list requires modification of 2n pointers.
--
Please do not CC me when replying to lists; I read them!
.''`. martin f. krafft <[EMAIL PROTECTED]>
: :' :proud Debian developer, admin, and user
`. `'
ter all, appendage is nothing but an insertion at
n+1.
--
Please do not CC me when replying to lists; I read them!
.''`. martin f. krafft <[EMAIL PROTECTED]>
: :' :proud Debian developer, admin, and user
`. `'`
`- Debian - when you have better things to do tha
also sprach Robert Vangel <[EMAIL PROTECTED]> [2004.08.19.0239 +0200]:
> It isn't iptables, but you could try the "redir" package.
also, the iproute package.
--
Please do not CC me when replying to lists; I read them!
.''`. martin f. krafft <[EMAI
ound a real answer
to this question, and I hold the opposite side... even internal
users should access the webserver through the official IP.
--
Please do not CC me when replying to lists; I read them!
.''`. martin f. krafft <[EMAIL PROTECTED]>
: :' :proud Debian deve
also sprach Andrei D. Caraman <[EMAIL PROTECTED]> [2002.10.09.1629 +0200]:
> Urs has a 2.2kernel/ipchains masquerading firewall connecting
> his home LAN to the world over a DSL line (with pppoe). Now his
> provider disconnects every pppoe session that's longer than 24
> hours, most likely to disc
also sprach Urs Martini <[EMAIL PROTECTED]> [2002.10.08.0129 +0200]:
> I got a problem with my new set up firewall: it "crashes" after some time!
What's "crashes"? What does it do?
> Now before I get into details - is there anyone who's willing
> to help myself fixing that problem _personally_?
also sprach Andre Klocke <[EMAIL PROTECTED]> [2002.10.07.1351 +0200]:
> I heard of some software that controlls the complete trafic via the
> firewall and scans everything for viruses. Is such a software free
> software or are there only commercial sollutions?
You can use antivir (www.hbedv.com)
also sprach Pedro P Sacristan Sanz <[EMAIL PROTECTED]> [2002.03.20.0847 +0100]:
> If you don't want change anything at this time, may be you could use an
> easy workaround if you are now using SSH in your firewall and web server:
> if you use the "-L" option, you could start a SSH session from your
also sprach Charlie Grosvenor <[EMAIL PROTECTED]> [2002.02.26.1657 +0100]:
> I am trying to block smb going out of my network using the following
> rules.
why not also block it coming in? i'd leave out the -o ppp0 bit below.
then there's nothing that can come in and nothing to go out.
> iptab
hi, my iptables config can be reduced to the following example, which
let's ssh pass and drops everything else.
iptables -P INPUT DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport ssh -j ACCEPT
iptables -A INPUT -j LOG
this works perfec
also sprach Jeff Bonner <[EMAIL PROTECTED]> [2002.02.09.0445 +0100]:
> Well, ideally I would understand everything about my firewall, yes. And
> writing the script would certainly result in my knowing exactly what it
> does. That having been said, I don't want to have the network in a
> state of
also sprach Gareth Bowker <[EMAIL PROTECTED]> [2002.02.07.1017 +0100]:
> If you're worried about missing stuff out, you could start with a firewall
> that defaults everything to DROP and go from there...
good point. any-any-any-DROP is what i call the base firewall. there
is *no* argument for a fi
also sprach Jeff Bonner <[EMAIL PROTECTED]> [2002.02.07.0916 +0100]:
> Since I offer no services (yet), the goal is to make this IP address
> invisible to port scans and other grotesques from the internet, while
> interfering as little as possible with a variety of protocols that the
> internal mac
* [EMAIL PROTECTED] <[EMAIL PROTECTED]> [2001.12.05 11:32:39+1000]:
> I didn't know you couldn't use DNAT if you used Masquerading. Are you
> sure?
think about it. masquerade is used when you have a single dynamic IP.
if you had multiple IPs, then you don't have a dynamic IP connection,
which mea
also sprach Christian Schlettig (on Sat, 15 Sep 2001 04:51:20PM +0200):
> the administrator of my ISP told me that this scenario would not
> allow virtual servers on the IIS! I doubt that but would like to ask
> someone before setting this up!
bollocks. unless the dude can't configure them right.
also sprach Tzafrir Cohen (on Mon, 20 Aug 2001 10:40:13AM +0300):
> My problem is that TCP connections get disconnected too often. (sometimes:
> even after around 10 minutes of inactivity).
have a look at the -S option of ipchains:
(from ipchains.8:)
-S, --set tcp tcpfin udp
also sprach Michael Boyd (on Tue, 17 Jul 2001 10:31:30AM +0100):
> The firewall uses a dial-up connection ppp0;
> The Secure side is connected to eth0 (192.168.1.1);
> The DMZ side is connected to eth1 (192.168.1.2);
> The webserver is 192.168.1.5;
> The Win98 machine is 192.168.1.3;
> I havent bui
57 matches
Mail list logo
