[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Sheflug] Firewalling - BSD and iptables
Excuse the lack of wrapping and prefixing - I've had to copy this from a
telnet session :-)
This is a bit of a pointless email - I've pretty much answered very question
as "erm...need to RTFM".
I'll read the scripts I wrote a few months back and look at the docs again,
and I'll then try and answer the questions a little better later.
Chris wrote:
> What is defined as an invalid packet though? (no I can't be asked to go and
look :-) ).
Stupid flags on packets (i.e. combos of SYN, FIN, ACK etc that shouldn't
exist), and strange addresses and the like IIRC. I'd have to go look up a
definition too, I'm afraid.
> > Logging is another target:
> > iptables [conditions] -j LOG
> Now that I didn't understand when I saw it first time. Being able to say:
>"pass in log quick on ..." seems to make much more sense than increasing the
ruleset by having to add yet more rules for logging. Yes, this could end up
logging every packet, but if I add the "log" keyword to the complete rule I
added above, it will only log the first incoming packet (ie, the first SYN)
before the "keep state" part tracks the rest of the connection.
What's the 'log quick' bit, if it's not logging? I'm confused.
I generally use a LOG rule with the added --limit option to prevent flooding
the logs (or at least having too much to read :-) at the end of a chain -
you're right there are extra rules to allow logging, but I have a suspicion
there might be another way of doing it in one rule.
>Another quick question as I've not looked. How does iptables manage NAT?
There is a "nat" table, with three default rules - prerouting, mangle and
postrouting.
This is another thing I'd have to RTFM on to give you a good answer - it's
been several months since I last looked at it, and I don't have a firewall
script to hand to refresh my memory. Rusty's Unreliable guides at
netfilter.samba.org is the place to look. Fairly terse and useful docs.
Cheers.
Baz.
--
Barrie J. Bremner OpenPGP public key ID: 5164F553
TheEnglishman [at] ecosse.net http://barriebremner.com/
"Linux? Is that some kind of MacOS?"
-- BT technical support
___________________________________________________________________
Sheffield Linux User's Group - http://www.sheflug.co.uk .
To unsubscribe from this list send mail to
shef-lug-request@list.sheflug.org.uk with the word
"unsubscribe" in the body of the message.
GNU the choice of a complete generation.