What can we do about this? The S/N ratio on this list (and some other
debian-* lists) is pretty square on the N side lately.
full moderation? Has it come to that?
solusipinjaman wrote:
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROT
mlists wrote:
> you are acting childish. either shut up or put up.
seconded.
nazi. there. godwin's law.
pad
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Nope. Your rule says to allow related,established on port 21. It doesn't
apply to port 20. Add a log rule to see what's being dropped.
You can remove the --sport 21 and just allow in ANY established,related
and that should work.
phil
On 9/1/2007 7:36 AM, Mahdi Rahimi wrote:
> thanks phil
> But
you need to allow port 20 for the data connection.
phil
On 9/1/2007 4:52 AM, Mahdi Rahimi wrote:
> hello
> I have problem in our clients's outside ftp access via debian.
> My LAN users can't start data transfer to outside FTP servers, but they
> can establish connection to port 21 on the outside
Leonardo Boselli wrote on 8/24/2007 4:44 PM:
> Your best is not enought for me.
Oucht.
good luck.
--
phil
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
On 8/11/2007 5:18 PM, Leonardo Boselli wrote:
> Currently i have two small groups of computers, one formed by three
> computer plus guests (portables), connected to an ADSL router
[snip]
> I decided to get a second ADSL link, with the same speed of the first one,
> but with a dynamic address, fr
on 2007-08-02 at 22:49, Ansgar -59cobalt- Wiechers wrote:
> On 2007-08-02 Franck Joncourt wrote:
> > -m state --state NEW --syn rather than --syn
>
> "--syn" is kinda redundant when using "--state NEW". ;)
I think that "--state NEW" is kinda redundant when using "--syn"
would be more accurate.
-
on 2006-08-18 at 11:25, George Borisov wrote:
> Hello,
>
> We have an IPSec VPN link between the UK and South Africa.
> Unfortunately one of the routers upstream from our South Africa
> firewall mangles large packets (e.g. only 2/3 chunks of a 4000
> byte ping will be received.)
[snip]
> Is the
on 2006-08-08 at 21:03, Pascal Hambourg wrote:
> Phil :
> Why are you talking about a built-in target ?
um, whoops. :)
mistake-a) s/built-in/standard/g
mistake-b) replying to things without full knowledge of the answer.
phil
(who is beating himself with a wet noodle right now.)
--
To UNSUB
on 2006-08-08 at 19:49, ??? ?? wrote:
> # iptables -A PREROUTING -t mangle -s 10.0.0.0/8 -j ROUTE --oif eth0
> iptables: No chain/target/match by that name
> #
there is no built in ROUTE target. Is this a user space
target you have created?
built in targets are ACCEPT, REJECT, DROP,
on 2006-05-17 at 10:53, Leonardo Boselli wrote:
> How to avoid these warnings ?
>
> > May 17 05:27:13 student dhcpd: DHCPINFORM from 172.25.9.96 via br1: not
> > authoritative for subnet 128.0.0.0
Not sure how this relates to firewalls, but...
use the authorative statement in dhcpd.conf
man dh
on 2006-05-01 at 18:30, Leonardo Boselli wrote:
> On Mon, 1 May 2006, Pascal Hambourg wrote:
> I agree wit your opinion, hovewer stiking a gropup of user to a specific
> address would allow administrators to filter on the _other_ end of the
> link, accepting or refusing he connenction based on the
on 2006-03-30 at 15:17, Phil Dyer wrote:
>
> somewhere, asynchronous routing, out of order packets, flushing and
s/asynchronous/asymmetric/
--
phil
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
on 2006-03-30 at 12:25, Vladimir Zolotykh wrote:
> Hi
>
> I'm new both to this mailing list and firewalls.
>
> I set up a simple firewall and SNAT using iptables. All works fine
> except that sometimes I see the following in the /var/log/syslog
>
> Mar 30 08:54:23 dobby kernel: New not syn:IN=
Ouédraogo Boukari said:
> Hello!
> ip_forward has 0 value but it's impossible to turn this value to 1.
what happens when you just
echo "1" > /proc/sys/net/ipv4/ip_forward
--
phil
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECT
Maxwillian Miorim said:
> Ops, my english is so bad? Sorry, I'm brazilian. =P
oh, I understood what you meant. It's just incorrect.
>
> See RFC959 for details: http://www.ietf.org/rfc/rfc0959.txt
I think you should read that rfc and search for 'UDP'. You won't find it
once. Your broken client m
Maxwillian Miorim said:
> FTP traffic pass through ports 20 UDP and 21 TCP.
>
> First one "head" is established with an connection in UDP port 20,
> after this all traffic is exchanged through port 21 TCP.
ummmhuh?
--
phil
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject o
Vladimir Konrad said:
>> Just a wild guess, but maybe check your MTU settings.
>
> MTU is 1500 on both eth interfaces...
>
path mtu discovery, maybe?
--
phil
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Lars Schimmer said:
> Hi!
>
> I copied a iptables config from a friend over to my router:
> ($IPT = /sbin/iptables)
>
> $IPT -A FORWARD -s ! 111.22.22.128/25 -p tcp --dport 22 -m state --state
> NEW -m recent --set
> $IPT -A FORWARD -p tcp --dport 22 -m state --state NEW -m recent
> --update --
Debs said:
> iptables -t nat -A PREROUTING -d $WAN_IP -p udp --dport 20 -j DNAT
> --to $PUBLIC:21
> iptables -t nat -A PREROUTING -d $WAN_IP -p tcp --dport 20 -j DNAT
> --to $PUBLIC:21
redirecting port 20 to port 21?
>
> BTW is udp necesarry..?
no.
signature.asc
Descript
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Pierre Volcke said:
> hello there,
>
> I'm using iptables and brctl (bridging) to provide
> some transparent firewalling.
>
> the problem is : I cannot see *any* logs from
> iptables into the kernel logs
> (but I know that my INPUT/OUTPUT/FORWARD cha
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Shane Machon said:
>
> I suspect my only way around this is to change the interface name of the
> pppoe link from ppp0 to something else like extif, then i can build
> rules specific to that interface knowing that will always be the
> external connect
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Martin G.H. Minkler said:
> Alohá all!
[snip]
Going for the shotgun approach with cross-posting, eh. :)
Don't remember having any problems like you've encountered...
Have you tried connecting to the sarge box with another client? Windows
XP, or pop
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
>>I'd say your firewall is starting up before nfs in your rc scripts, so
>>your NFSPORTS_ARRAY is empty. Try changing the firewall to start up
>>after nfs.
>
>
> ..that would leave it open for a wee while, no?
> I'd rather just rerun the rerun the n
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
David Powell wrote:
> Hello List,
>
> When my LAMP server first fires up it runs a firewall script, but
> doesn't seem to be applying the rules that allow NFS connections. If I
> then rerun the script manually, the NFS connections work again.
>
>
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Udo Klein said:
> Thanks Phil,
>
> I've now allowed dhcp in from the ISP and it works. Can I ask you one
> more question: is it possible to direct the ipchains log to a file other
> than /var/log/kern.log (e.g. /var/log/ipchains.log), so that kern.l
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Udo Klein said:
> Hi everybody,
>
> I connect to my ISP provider via a cable modem (dhclient gets the
> dynamic IP address). A few weeks ago I installed an (ipchains) firewall,
> which basically denies all requests from outside (I checked this by
>
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I swear, I'm on about 15 lists, and debian-firewall is the *only* one
where I get unsubscribe posts to the list.
One more beer and I'm gonna get jiggy and reply. :)
Sorry for the OT post, everybody.
- --
/phil
-BEGIN PGP SIGNATURE-
Vers
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Phil Dyer wrote:
> NN_il_Confusionario wrote:
>> perhaps one could mark with iptables the local packets to be source
>> natted and then source nat the marked packets with ip route
>>
>
> I don't think that iptable
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
NN_il_Confusionario wrote:
> perhaps one could mark with iptables the local packets to be source
> natted and then source nat the marked packets with ip route
>
I don't think that iptables alone can do it. I'm thinking this is the
road to look down,
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Mike Mestnik wrote:
> conn rnet-lnet
>left=1.2.3.4
>leftsubnet=172.27.27.0/24
> leftnexthop=1.2.3.1
>right=9.8.7.6
>rightsubnet=192.168.1.0/24
>authby=secret
>auto=start
>
> Yes, this workes.
>
>
> conn rnet-lserver
>l
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Chavdar Videff said:
> The reason why we do this is because the Cisco router is maintained by our
> ISP
> and it is configured for the entire LAN. I cannot touch there. And I cannot
> change the LAN address space because there are servers accessed
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Blars Blarson wrote:
> In article <[EMAIL PROTECTED]> [EMAIL PROTECTED] writes:
>
>>I'm using a pseudo-bridge setup with proxy_arp. I haven't had any
>>problems at all. My setup causes me to lose 2 ip addresses for each
>>interface, but...
er.. I mea
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Theodore Knab said:
> Hi,
>
> Does anyone have some transparent bridge iptables rules that I could use as
> an example ?
>
> I have a Debian Sarge box running the 2.6.10 kernel that is acting as a
> transparent bridge.
>
> Currently, it is using E
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
R.M. Evers said:
> thanks, didn't know this approach. but i don't think it will help in
> this case, since there is no 'real' left subnet :-)
> thanks for the tips! if you can think of anything that might help, or
> maybe a configuration that better s
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
R.M. Evers said:
>
> ok, when i ping from eth1, i get a "bad interface address 'eth1'" error,
> probably because eth1 is not connected..
Shouldn't make a difference as long as the interface is up.
ifup eth1
try ping -I 172.27.27.1 192.168.1.x
- --
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
R.M. Evers said:
> i'm having some problems implementing a vpn configuration, and i'm
> hoping you guys could help me out here. we are hosting a debian sarge
> server for one of our customers, and they need to communicate with this
> server over the in
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
martin f krafft said:
> also sprach Phil Dyer <[EMAIL PROTECTED]> [2005.03.15.1512 +0100]:
>> for INPUT, lose the conntrack.
>> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> why?
>
Actually, good question
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
martin f krafft said:
>
> Here are the relevant rules:
>
> -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -m conntrack --ctstate INVALID -j DROP
>
> -A INPUT -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefi
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Collins, Kevin said:
> UNKNOWN: Mar 3 00:05:34 localhost pluto[2851]: "ltoh" #556: received Delete
> SA payload: deleting ISAKMP State #556
>
> While everything is working, I'm concerned that these entries mean that
> something "just isn't right".
Manfred Sampl said:
> Is there a gui tool that is able to set up a firewall rule set on a remote
> computer or write a bash script? I had a quick look at knetfilter and
> firestarter, but that isn't really what I need. Shorewall is somehow nice,
> but wouldn't that be a step back for me?
>
che
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Manfred Sampl said:
> Hi,
>
> My input ruleset doesn't work as it should... I'm using woody /
> netfilter on 2.4.27 (debian kernel I think) for doing the routing on a
> DSL connection.
>
> I can't reach ssh on the external interface.
>
> What is wro
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
S. C. wrote:
> My merchine eth0 is 192.168.8.50
>
> modprobe iptable_nat
> echo "1">/proc/sys/net/ipv4/ip_forward
> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to
> 192.168.8.55:80
>
I'm a bit confused. At first I assumed tha
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Guillaume Lécroart wrote:
> Hi,
>
> The problem here is how to identify the IPSec traffic. I implemented
> this long ago, where IPSec traffic would come out of a "ipsecxxx"
> interface, which was really easy for adding a '-i ipsecxxx' iptable rule.
g for r00tkits on your box...
/phil
Alexandru Stefan-Voicu said:
> On Mon, 31 Jan 2005 10:54:02 -0500, Phil Dyer <[EMAIL PROTECTED]> wrote:
>
>> Are you using the -p switch to tcpdump? That will take it out of
>> permiscuous mode, and you'll only see traffic dest
Alexandru Stefan-Voicu said:
> No, there's no switched network. Eth0 is the network adapter tied to
> the
> internet cable modem, behind eth0 is a Linux router, which also has an
> eth1 internal interface. So "behind" eth0 is eth1 and linked tot that is a
> Windows 2000 workstation.
>
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Mark Strasheim wrote:
> Aloha
>
> i have a singel interface and do the following iptables commands
> everthings works as i should ( there are some more services with UDP )
>
> iptables -N allowed
> iptables -A allowed -j ACCEPT
> iptables -A INPUT -p
jorge salamero wrote:
> hi all,
>
> i've a working firewall doing nat at my home network. i think that's not good
> enough.
> i've found new and interesing ideas reading the many iptables scripts found
> over the net, but all of them are tought for single host protection.
> could anyone point me
Mike Mestnik wrote:
>> mac address changes at every hop. The mac is *always* going to be your
> Assuming you could, do the imposible and, find out what the original mac
> was. (We seam to agree)You can't send a pkt to a mac address not on your
> local network.
I can only deal with the possible.
Mike Mestnik wrote:
>> My point is: how do you send packets back to the sender if the packet
>> came in on a connected interface that does not host the network that it
> The packet came in. There should be a MAC(ethernet) address that it came
> from.
mac address changes at every hop. The mac is
itimately) either.
Name me some broadcast traffic that a stub net receives that is anything
more than noise from netbios, or dhcp or similar.
--
+==
+ Phil Dyer
+ email: [EMAIL PROTECTED]
+==
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Ansgar -59cobalt- Wiechers said:
>> Also applies to more than icmp. Wrong interface? -- drop.
>
> REJECT, not DROP.
>
If I get a packet from the 'net that tries to tell me it's coming from
an ip that is connected to me via a different interface than where it
came in on[1], then I'm assuming spoof
ach DROP)
>
> There are many more but these are at the top of my list. If we can get a
> good list going I'd like to add this to the WiKi. Also I'd be nice to
> know
> which of the above are caught by --state INVALID.
--
+==
+ Phil Dyer
+ em
Timothy Earl said:
> Hello all,
>
> I am having a little trouble understanding the differences between Firewall
> / Proxy activity on internal / external nets. For example I read recently
> out of a book I am going through, that one should reconsider blocking all
> ICMP traffic for reasons related
54 matches
Mail list logo
