Re: [Sheflug] Firewalling - BSD and iptables

["Chris J/#6" <xxxxx [at] xxxxxxxxxxxx>]

> This is a bit of a pointless email - I've pretty much answered very
> question  as "erm...need to RTFM".
> I'll read the scripts I wrote a few months back and look at the docs
> again,  and I'll then try and answer the questions a little better later.

I'll probably do summat similar once I'm home so can do checking on my box :)

>
> Chris wrote:
>
>> What is defined as an invalid packet though? (no I can't be asked to go
>> and
> look :-) ).
>
> Stupid flags on packets (i.e. combos of SYN, FIN, ACK etc that shouldn't
> exist), and strange addresses and the like IIRC. I'd have to go look up a
>  definition too, I'm afraid.
>

Ah right. With OpenBSD you can put checks on any TCP flags ... any
combination of, I think. Need to check for certain :)


>> > Logging is another target:
>> > iptables [conditions] -j LOG
>
>> Now that I didn't understand when I saw it first time. Being able to
>> say:
>
>>"pass in log quick on ..." seems to make much more sense than increasing
>>the
> ruleset by having to add yet more rules for logging. Yes, this could end
> up logging every packet, but if I add the "log" keyword to the complete
> rule I added above, it will only log the first incoming packet (ie, the
> first SYN) before the "keep state" part tracks the rest of the
> connection.
>
> What's the 'log quick' bit, if it's not logging?

"log" means, well, log ... "quick" isn't realted to logging but basically
says "if this rule matches, come out of the rules now and don't check any
following ones. Open's firewall is "last matching rule wins", therefore
specifying "quick" gives a path out, and means you don't have to think very
hard and worry about any following rules causing a match and creating a
security hole. I use it pretty much out of habit these days which is why it
made it there. Hence "pass in log on ..." is equally valid.

> I'm confused.
> I generally use a LOG rule with the added --limit option to prevent
> flooding  the logs (or at least having too much to read :-) at the end of
> a chain -  you're right there are extra rules to allow logging, but I
> have a suspicion  there might be another way of doing it in one rule.
>

I think there's a similar think to --limit in Open...again need to check.

>>Another quick question as I've not looked. How does iptables manage NAT?
>
> There is a "nat" table, with three default rules - prerouting, mangle and
>  postrouting.
> This is another thing I'd have to RTFM on to give you a good answer -
> it's  been several months since I last looked at it, and I don't have a
> firewall  script to hand to refresh my memory. Rusty's Unreliable guides
> at  netfilter.samba.org is the place to look. Fairly terse and useful
> docs.
>

I might have a scan when I get home then (or when I get bored) :)

One thing to bear in mind ... OpenBSD's firewalling is slightly different to
FreeBSD (from what little I remember). There is no generic "BSD"
firewall...whilst there are similarities, there is a chance they can't be
copied back and forth...again, I'd need to read to confirm this for certain.

Chris...

-- 
\ Chris Johnson           \  "If not for me then, do it for yourself. If not
 \ cej [at] nccnet.co.uk        \  for then do it for the world." -- Stevie Nicks
  \ www.nccnet.co.uk/~cej/  ~-----------------------------------------+
   \ Redclaw chat - http://redclaw.org.uk - telnet redclaw.org.uk 2000 \____



___________________________________________________________________

Sheffield Linux User's Group - http://www.sheflug.co.uk . 
To unsubscribe from this list send mail to 
shef-lug-request@list.sheflug.org.uk with the word
"unsubscribe" in the body of the message. 

  GNU the choice of a complete generation.