. For particularly troublesome boxen, I
just drop all their traffic via the IP.
HTH,
Jeff Bonner
pgpEVdgloeNlZ.pgp
Description: PGP signature
2.4/netfilter, however not for ICQ. If you
examine the code I have in my script, it might give you some ideas on
how to compensate for these shortcomings. AFAIK you basically have
three choices: settle for partial ability the way I've done it; run
a full-blown SOCKS proxy; or use some mini-proxy like ReAIM.
HTH,
Jeff Bonner
pgpzsJilsmY80.pgp
Description: PGP signature
> -Original Message-
> From: Olaf Meeuwissen
> Sent: Wednesday, June 05, 2002 7:23 PM
> CC: debian-firewall@lists.debian.org
> To: Jeff Bonner
> Subject: Re: script init
>
> > For now, don't add it to runlevel 0, 1 or 6, which equate to "halt&quo
> -Original Message-
> From: sim ton [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, June 05, 2002 5:20 AM
> To: debian
> Subject: script init
>
> so my firewall is almost good :)
> but i want to init it at any reboot ...
> i've heard of iptables-save and i used it but i don't really
> know
Same file in the source.
Aha, that would explain it... I knew I had seen it somewhere. ;)
Thanks,
Jeff Bonner
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
t in question -- I seem to recall reading that 1 was reverse
path, and 2 was some kind of additional check. That was months ago
so I could be entirely wrong.
Incidentally, would you care to review the rest of my script for
correctness? ;) I have solicited folks on the debian-firewall
and netfilt
"2" be better? What would be the
implications of using it, more overhead?
> > Anyway, what I would do is block TCP & UDP 0-19. This tosses
>
> What I would do instead is to set your default policy to DROP
Yeah, forgot to mention that the first time around. ;)
Je
eed to get through. This could
even be extended to include FORWARD and OUTPUT if you're
particularly concerned.
Jeff Bonner
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
-A INPUT -i eth0 -p udp --dport 0:19 -j DROP
I specified the interface, just in case netstat somehow may
get blocked on the internal machines or the localhost... this
may not be necessary and you can experiment accordingly.
HTH,
Jeff Bonner
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
working is with a kernel
module, but it's my understanding that one has not yet been written (or
ported from 2.2) for this purpose.
Can anyone supply me with a working snippet of code?
Thanks in advance,
Jeff Bonner
Royal Oak MI USA
PGP Key ID = 0x25ED7C88
Fingerprint = 1E3F 468D 8AA2 37A9
s it? Will a 486/66 with 24MB be enough for 5 LAN users?
3) Are there any security implications using MASQUERADE instead of SNAT
(less/more secure)?
Thanks in advance,
Jeff Bonner
ing it myself) and they have given me
additional ideas. Thanks!
Jeff Bonner
located right next to this one, where I could immediately make changes
and observe results. Perhaps in the near future I can run a dial-up for
that purpose, though.
Jeff Bonner
I'm replacing my current ipchains-based firewall, which serves a small
internal LAN of 3 machines, with one that runs iptables/netfilter.
Since I offer no services (yet), the goal is to make this IP address
invisible to port scans and other grotesques from the internet, while
interfering as little
14 matches
Mail list logo
