[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Sheflug] Firewalling - BSD and iptables

To: shef-lug [at] xxxxxxxxxxxxxxxxxxx
Subject: [Sheflug] Firewalling - BSD and iptables
From: Barrie Bremner <xxxxx [at] xxxxxxxxxx>
Date: Fri, 5 Oct 2001 12:53:43 +0100
Envelope-To: <shef-lug [at] list.sheflug.org.uk>
List-Help: <mailto:shef-lug-request [at] list.sheflug.org.uk?subject=help>
List-Id: Sheflug <shef-lug.list.sheflug.org.uk>
List-Post: <mailto:shef-lug [at] list.sheflug.org.uk>
List-Subscribe: <http://community.uklinux.net/mailman/listinfo/shef-lug>,<mailto:shef-lug-request [at] list.sheflug.org.uk?subject=subscribe>
List-Unsubscribe: <http://community.uklinux.net/mailman/listinfo/shef-lug>,<mailto:shef-lug-request [at] list.sheflug.org.uk?subject=unsubscribe>
Reply-To: shef-lug [at] xxxxxxxxxxxxxxxxxxx
Sender: shef-lug-admin [at] xxxxxxxxxxxxxxxxxxx

Excuse the lack of wrapping and prefixing - I've had to copy this from a 
telnet session :-)

This is a bit of a pointless email - I've pretty much answered very question 
as "erm...need to RTFM".
I'll read the scripts I wrote a few months back and look at the docs again, 
and I'll then try and answer the questions a little better later.

Chris wrote:

> What is defined as an invalid packet though? (no I can't be asked to go and 
look :-) ).

Stupid flags on packets (i.e. combos of SYN, FIN, ACK etc that shouldn't 
exist), and strange addresses and the like IIRC. I'd have to go look up a 
definition too, I'm afraid.

> > Logging is another target:
> > iptables [conditions] -j LOG

> Now that I didn't understand when I saw it first time. Being able to say:

>"pass in log quick on ..." seems to make much more sense than increasing the
ruleset by having to add yet more rules for logging. Yes, this could end up
logging every packet, but if I add the "log" keyword to the complete rule I
added above, it will only log the first incoming packet (ie, the first SYN)
before the "keep state" part tracks the rest of the connection.

What's the 'log quick' bit, if it's not logging? I'm confused.
I generally use a LOG rule with the added --limit option to prevent flooding 
the logs (or at least having too much to read :-) at the end of a chain - 
you're right there are extra rules to allow logging, but I have a suspicion 
there might be another way of doing it in one rule.

>Another quick question as I've not looked. How does iptables manage NAT?

There is a "nat" table, with three default rules - prerouting, mangle and 
postrouting.
This is another thing I'd have to RTFM on to give you a good answer - it's 
been several months since I last looked at it, and I don't have a firewall 
script to hand to refresh my memory. Rusty's Unreliable guides at 
netfilter.samba.org is the place to look. Fairly terse and useful docs.

Cheers.

Baz.

--
Barrie J. Bremner         OpenPGP public key ID: 5164F553

TheEnglishman [at] ecosse.net   http://barriebremner.com/

   "Linux? Is that some kind of MacOS?"
      -- BT technical support

___________________________________________________________________

Sheffield Linux User's Group - http://www.sheflug.co.uk . 
To unsubscribe from this list send mail to 
shef-lug-request@list.sheflug.org.uk with the word
"unsubscribe" in the body of the message. 

  GNU the choice of a complete generation.

Follow-Ups:
- Re: [Sheflug] Firewalling - BSD and iptables
  - From: Chris J/#6
- [Sheflug] Firewalling - BSD and iptables
  - From: Barrie Bremner

Prev by Date: Re: [Sheflug] XFree4 config on Woody
Next by Date: Re: [Sheflug] Firewalling - BSD and iptables
Prev by thread: Re: [Sheflug] XFree4 config on Woody
Next by thread: Re: [Sheflug] Firewalling - BSD and iptables
Index(es):
- Date
- Thread