Re: apache being bombarded
Okey, I got your point. Just to clarify it, in case some other reader didn't got it. iptables -A -> will add to the end of the chain iptables -I (without rulenum) -> will add as the first entry on the chain I just looked at the summary of the manpage, where it states: iptables -[RI] chain rulenum rule-specification [options] And not iptables -[RI] chain [rulenum] rule-specification [options] Maybe an update of the manpage is in order ? On Wed, Mar 13, 2002 at 02:12:48PM -0300, Mauricio Pretto wrote: > Its optional the rulenum > Rodrigo Barbosa wrote: > >On Mon, Mar 11, 2002 at 10:09:31AM +0100, Christian Gothe wrote: > >>Geert Hauwaerts writes: > >> > >>>Add them in your firewall > >>>iptables -A INPUT -i eth0 -s THERE_IP -j DROP > >>> > >>iptables -I INPUT -i eth0 -s THERE_IP -j DROP is the better choice in > >>most iptables firewalls. > > > >Hummm, as far as I remember, -I requires a rulenum paramter. > >Maybe you mean: > > > >iptables -I INPUT 1 -i eth0 -s THERE_IP -j DROP -- Rodrigo Barbosa - rodrigob at tisbrasil.com.br TIS - Belo Horizonte, MG, Brazil "Quis custodiet ipsos custodes?" - http://www.tisbrasil.com.br/ Brainbench Certified -> Transcript ID #3332104
Re: apache being bombarded
On Mon, Mar 11, 2002 at 10:09:31AM +0100, Christian Gothe wrote: > Geert Hauwaerts writes: > >Add them in your firewall > >iptables -A INPUT -i eth0 -s THERE_IP -j DROP > > iptables -I INPUT -i eth0 -s THERE_IP -j DROP is the better choice in most > iptables firewalls. Hummm, as far as I remember, -I requires a rulenum paramter. Maybe you mean: iptables -I INPUT 1 -i eth0 -s THERE_IP -j DROP -- Rodrigo Barbosa - rodrigob at tisbrasil.com.br TIS - Belo Horizonte, MG, Brazil "Quis custodiet ipsos custodes?" - http://www.tisbrasil.com.br/ Brainbench Certified -> Transcript ID #3332104
Re: Help with ipchains
Well, that is a hard one. How we define what is stateful ? It all depends on the definition. In my point of view, it matchs states. How it does it is another matter entirely. But maybe thats just me being naive. On Mon, Mar 04, 2002 at 11:14:36AM -0800, monk wrote: > No flames, please... But a question. > I have used ipchains for quite some time, but have never used > iptables(just started to dig in today). I read somewhere that iptables > in not actually stateful, that it just looks at some specifics of the > packet, but that is it. I am a little confused at what I have read, and > what I hear here. Someone lend a hand? Meanwhile, I'll keep reading > the iptables how-to info...Thanks. > > > Excuse me for asking, but why ipchains, when you have iptables > > avaliable ? > > The non-stateful packet inspection nature of ipchains makes it, in > > the best > > cases, tricky to use. And in the worst cases, dangerous. Also, the > > lost > > of functionality (compated with iptables) is easily noticed. -- Rodrigo Barbosa - rodrigob at tisbrasil.com.br TIS - Belo Horizonte, MG, Brazil "Quis custodiet ipsos custodes?" - http://www.tisbrasil.com.br/ Brainbench Certified -> Transcript ID #3332104
Re: IPChains PortFowarding
On Mon, Feb 25, 2002 at 12:57:58PM -0500, [EMAIL PROTECTED] wrote: > Is it possible to do port-fowarding with ipchains, rather than using > ipmasqadm, or ipportfw? I have a firewall running linux 2.4.x kernel, and > don't want to switch to iptables unless I have to. No, there is no way to do that with ipchains. You can try rinetd, if you really don't want to change. > ipchains works just fine, but switching to iptables would require too much > downtime. Unless there is a rc.firewall converter app? I have seen some of these around, but never tested one. -- Rodrigo Barbosa - rodrigob at tisbrasil.com.br TIS - Belo Horizonte, MG, Brazil "Quis custodiet ipsos custodes?" - http://www.tisbrasil.com.br/ Brainbench Certified -> Transcript ID #3332104
Re: Help with ipchains
On Thu, Feb 21, 2002 at 07:42:16PM -, Chad wrote: > Can anyone recommend a good resource for > ipchains, ( Very thorough and low level ) for someone > who is just learning to use it ? Meaning an > in-depth resource, all switches, arguments etc.. ?? > With some good examples ? I am having a little > difficulty finding one. Excuse me for asking, but why ipchains, when you have iptables avaliable ? The non-stateful packet inspection nature of ipchains makes it, in the best cases, tricky to use. And in the worst cases, dangerous. Also, the lost of functionality (compated with iptables) is easily noticed. Anyway, try searching www.linuxdoc.org []s -- Rodrigo Barbosa - rodrigob at tisbrasil.com.br TIS - Belo Horizonte, MG, Brazil "Quis custodiet ipsos custodes?" - http://www.tisbrasil.com.br/ Brainbench Certified -> Transcript ID #3332104
Re: disabling port 79
On Wed, Feb 20, 2002 at 10:55:29AM -0500, Dean Fox wrote: > I am contemplating to remove/disable finger or port 79 from some > workstations and/or servers. Is there any negative impact for doing it? > Any advice is much appreciated. Actualy, considering that your system probably have a standard finger daemon, the impact would be positive, not negative. The finger service used to be very useful in the good old days. But in todays Internet enviroment, the information leakage it provides represents a security problem. However, the finger protocol (which could not be simpler), still provides a wide range of possibilities. Specific finger-like daemons can be used to provide controled information. Try: finger @finger.kernel.org There are also other services that can be implement. I use finger to monitor the status of my network, and to provide GPG/PGP public keys. Of couse, I don't use a standard finger daemon, but a little fingerd daemon I created, yafingerd (shameless plug). Avaliable at sourceforge. []s -- Rodrigo Barbosa - rodrigob at tisbrasil.com.br TIS - Belo Horizonte, MG, Brazil "Quis custodiet ipsos custodes?" - http://www.tisbrasil.com.br/ Brainbench Certified -> Transcript ID #3332104
Re: ipchains & iptables together???
On Wed, Jan 02, 2002 at 10:11:28AM -0800, Octavio / Super wrote: > Almost everybody answered "no" already. :) > > As a firewall, you should definitely go with iptables. As a NAT, it depends on your >needs, because there are still a lot of modules for ipchains, and (AFAIK) only the >FTP is ported to iptables. That is not quite right. IPTABLES use a module called conntrack, which by itself should solve most of your NAT needed without special tweakies, like ipchains needed. []s -- Rodrigo Barbosa - rodrigob at tisbrasil.com.br TIS - Belo Horizonte, MG, Brazil "Quis custodiet ipsos custodiet?" - http://www.tisbrasil.com.br/
Re: ipchains & iptables together???
On Sun, Dec 30, 2001 at 06:06:06PM +0100, Michael Gegerfelt wrote: > I would like to add to that question. I don't believe that you can > use both of them at the same time because it is two different types > of firewalls. However, my question is which of them is the better one > to use? Is there any drawbacks by using one or the other? Well, I may be a little off on this, so please correct me if I'm wrong. All I'm writing is based on a presentation I watched with one of the Netfilter developers (Harald). If you are using Linux Kernel 2.4, it doesn't matter if you are using ipchains or iptables. What you are really using is the Netfilter code. The ipchains and iptables codes are just hooks on the Netfilter code. So, although the command syntax is the same, the ipchains code changed. Keeping that in mind, you notice that ipchains only have 3 hooks, while iptables has 6 hooks (3 on the regular table, and 3 on the nat table). You have also to consider that iptables provides statefull packet inspection. All in all, iptables will provide you will a much better interface to the Netfilter code. And if you are worried about some bug in the code, just keep in mind that the code is the same. You only use different hooks. So a bug in the code would affect both interfaces. All that said, you should definitily use iptables. -- Rodrigo Barbosa - rodrigob at tisbrasil.com.br TIS - Belo Horizonte, MG, Brazil "Quis custodiet ipsos custodiet?" - http://www.tisbrasil.com.br/
