On 10/6/07, Peter Smerdon <[EMAIL PROTECTED]> wrote:
> Hello everyone.
>
> What is the preferred method of starting an iptables script at boot time
> on Debian hosts? I have come across two common ways, one with a pre-up
> command that calls the script from /etc/network/int
Peter Smerdon wrote:
Hello everyone.
What is the preferred method of starting an iptables script at boot time
on Debian hosts? I have come across two common ways, one with a pre-up
command that calls the script from /etc/network/interfaces and the other
From dumping the script in one of the
On Sat, Oct 06, 2007 at 08:21:30AM -0400, Peter Smerdon wrote:
> Hello everyone.
>
> What is the preferred method of starting an iptables script at boot time
> on Debian hosts? I have come across two common ways, one with a pre-up
> command that calls the script from /etc/network
Hello!
2007/10/6, Peter Smerdon <[EMAIL PROTECTED]>:
> What is the preferred method of starting an iptables script at boot time
> on Debian hosts? I have come across two common ways, one with a pre-up
> command that calls the script from /etc/network/interfaces and the other
>
Hello everyone.
What is the preferred method of starting an iptables script at boot time
on Debian hosts? I have come across two common ways, one with a pre-up
command that calls the script from /etc/network/interfaces and the other
From dumping the script in one of the /etc/rc*/ directories.
I
So, I can use eth0 for internet use (low traffic) and eth1 (ieee1394) for
trasfers use.
My client it's connected (with eth0) to a server (192.168.1.100)
But I don't able to configure (maybe iptables) to do a rules to do it.
Server:
ppp0 -->internet
eth1 --> lan1
eth2 --> ieee
On Tue, 11 Sep 2007 09:52:12 -0700
David Brodbeck <[EMAIL PROTECTED]> wrote:
>
> On Sep 11, 2007, at 12:11 AM, Christopher Zimmermann wrote:
>
> > As long as I use iptables I was not able to use policies of reject. I
> > even remember the target 'REJECT&#
David Brodbeck wrote:
>
> On Sep 11, 2007, at 12:11 AM, Christopher Zimmermann wrote:
>
>> As long as I use iptables I was not able to use policies of reject. I
>> even remember the target 'REJECT' being a selectable kernel option.
>> Reject requires
On Sep 11, 2007, at 12:11 AM, Christopher Zimmermann wrote:
As long as I use iptables I was not able to use policies of reject. I
even remember the target 'REJECT' being a selectable kernel option.
Reject requires some ICMP action whereas DROP doesn't.
But be aware that
On Tue, Sep 11, 2007 at 09:11:12AM +0200, Christopher Zimmermann wrote:
> As long as I use iptables I was not able to use policies of reject. I
> even remember the target 'REJECT' being a selectable kernel option.
> Reject requires some ICMP action whereas DROP doesn'
As long as I use iptables I was not able to use policies of reject. I
even remember the target 'REJECT' being a selectable kernel option.
Reject requires some ICMP action whereas DROP doesn't.
> I am just going through my firewall setup and I notice I can no longer
>
On 09/10/2007 04:55 PM, Alex Samad wrote:
Hi
I am just going through my firewall setup and I notice I can no longer
do iptables -P INPUT REJECT
On 9/10/07, Alex Samad <[EMAIL PROTECTED]> wrote:
> Hi
>
> I am just going through my firewall setup and I notice I can no longer
> do iptables -P INPUT REJECT
iptables -P INPUT DROP
I use DROP. I guess it is not a good idea to send ICMP packets back
by default (But I don&#
through my firewall setup and I notice I can no longer
do iptables -P INPUT REJECT
Hi
I am just going through my firewall setup and I notice I can no longer do
iptables -P INPUT
Michael Pobega <[EMAIL PROTECTED]> writes:
> # Generated by iptables-save v1.3.6 on Mon Jun 18 09:55:18 2007
> *filter
> :INPUT DROP [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [35639:3072343]
> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -i
On Thu, Aug 30, 2007 at 12:25:25AM -0400, Michael Pobega wrote:
> Currently I'm using iptables as my main firewall, and I'm having no
> trouble with it whatsoever. But lately (Since college has started) I've
> been connecting to a lot more networks, with more peers connec
On 8/30/07, Michael Pobega <[EMAIL PROTECTED]> wrote:
> [...]
> I'm hoping some seasoned Debian sysadmins out there can help me by
> advising me on how to better setup iptables...My current setup is:
quite some info you can find here
Securing Debian howto
http://www.de
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Currently I'm using iptables as my main firewall, and I'm having no
trouble with it whatsoever. But lately (Since college has started) I've
been connecting to a lot more networks, with more peers connected. I'm
worried about someb
h1 for the internal network and eth2 for the DSL modem.
> >>
> >>I set up iptables with firewall-builder and all seems OK, but I can only
> >>ever access the web interface on the DSL modem from the gateway server
> >>directly after downing the internal network o
Andrew Sackville-West on 25/06/07 04:27, wrote:
On Sat, Jun 23, 2007 at 08:35:09PM +0100, Adam Hardy wrote:
I have set up a network for our house using a gateway server with etch and
two NICs, eth1 for the internal network and eth2 for the DSL modem.
I set up iptables with firewall-builder
On Sat, Jun 23, 2007 at 08:35:09PM +0100, Adam Hardy wrote:
> I have set up a network for our house using a gateway server with etch and
> two NICs, eth1 for the internal network and eth2 for the DSL modem.
>
> I set up iptables with firewall-builder and all seems OK, but I can
I have set up a network for our house using a gateway server with etch and two
NICs, eth1 for the internal network and eth2 for the DSL modem.
I set up iptables with firewall-builder and all seems OK, but I can only ever
access the web interface on the DSL modem from the gateway server
Hi Ann,
On 6/13/07, ann kok <[EMAIL PROTECTED]> wrote
I just install new debian.
but it seems nothing iptable in the default installation
how can I install?
I have used Guarddog to config my iptables.
It's very easy to use and it will take only about 15 - 30
mins reading the
On Wed, 2007-06-13 at 15:47 -0700, ann kok wrote:
> Hi all
>
> I just install new debian.
> but it seems nothing iptable in the default
> installation
>
> how can I install?
1) you can use a pre-written script like this one:
http://www.hermann-uwe.de/files/fw_laptop
Getting it going is discusse
Hi all
I just install new debian.
but it seems nothing iptable in the default
installation
how can I install?
and
how can I install new kernel?
can you show me steps?
Thank you
Got a little couch pot
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Currently I cannot play Sirius streams in Sipie unless I run "iptables
- -P INPUT ACCEPT", but that is (hopefully) only a temporary solution.
I'd like to allow all traffic to flow between my computer and
Sirius.com, passing right throu
On Fri, May 04, 2007 at 11:57:39AM +0200, Pierguido wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Pierguido wrote:
> [...]
> > difficult...is there a tool to show in realtime the status of the counter?
>
> Sorry...here the output of iptables-save
>
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Pierguido wrote:
[...]
> difficult...is there a tool to show in realtime the status of the counter?
Sorry...here the output of iptables-save
Pier
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozi
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Octavio Alvarez wrote:
> Check an iptables-save output to see if these rules are matched
> against a different interface than intented.
At the end i had to return to the configuration i had that
problemjust i remove dst from the ph
ules in effect at the time of the
log entry? It's not making sense ...
Yes...100% sure...i was doing many test and the result was that i had to
disable firehol (and iptables as well).
Check an iptables-save output to see if these rules are matched
against a different interface than inte
0.0.0.0/0
>
> Are you 100% sure that these were the rules in effect at the time of the
> log entry? It's not making sense ...
Yes...100% sure...i was doing many test and the result was that i had to
disable firehol (and iptables as well).
I could try to set up a different ru
On Thu, May 03, 2007 at 02:26:32PM +0200, Pierguido wrote:
> I'm using Etch a server and i want to configure bind.
> After i've done everything i set up firehol (iptables parser) and
> noticed that, when firehol is on, i cannot make any request to the
> outside dns ser
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi all.
I'm using Etch a server and i want to configure bind.
After i've done everything i set up firehol (iptables parser) and
noticed that, when firehol is on, i cannot make any request to the
outside dns server.
I checked the firehol log
On Sun, Apr 22, 2007 at 10:38:42PM -0400, Jim Hyslop wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Franck Joncourt wrote:
> > I do not think the same way you do. If you are not running any servers,
> > except ssh
>
> I never said that. I said that ssh is the only port forwarded fro
Jim Hyslop <[EMAIL PROTECTED]> writes:
> H... does that mean I should really set up two machines, one in a
> DMZ for my ssh services, and the other for my internal services?
If this is a homeserver, I wouldn't bother. If it's a business, then
always separate internal and external services
-
;re getting at?
> If you want to read more about iptables :
>
> http://iptables-tutorial.frozentux.net/iptables-tutorial.html
Thanks for the tip.
- --
Jim Hyslop
Dreampossible: Better software. Simply. http://www.dreampossible.ca
Consulting * Mentoring * Training i
nary attempts to log in. A while back,
someone posted a link in this list to a blog that gave an Iptables
recipe to limit connections to 5 per minute per IP address. So, I issued
the commands:
You can use DenyHosts,
read how here.
http://www.go2linux.org/node/6
iptables -A INPUT -i ethLRZ -p t
On Fri, Apr 20, 2007 at 11:41:28PM -0400, Jim Hyslop wrote:
> > You have defined ethLRZ, haven't you ?
>
> I have no idea. I just entered the rules as found in the blog. I assumed
> 'LRZ' was simply a place-holder for the actual interface number, as the
> iptabl
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Franck Joncourt wrote:
> On Thu, Apr 19, 2007 at 09:18:45PM -0700, John L Fjellstad wrote:
>> Jim Hyslop <[EMAIL PROTECTED]> writes:
[...]
>> iptables -A INPUT -i ethLRZ -p tcp --dport 22 -m state --state NEW \
>>
On Fri, Apr 20, 2007 at 10:35:23PM +0200, Franck Joncourt wrote:
>
> These are the rules I use for my ftp server, and it works fine :
>
> iptables -A lan_in_new -p tcp --syn --dport 21 -m recent \
> --set--name ftp_hits_list2
> iptables -A wan_in_new -p tcp --syn --
, I'm
> being hit by a lot of dictionary attempts to log in. A while back,
> someone posted a link in this list to a blog that gave an Iptables
> recipe to limit connections to 5 per minute per IP address. So, I issued
> the commands:
>
> iptables -A INPUT -i ethLRZ -p tcp --dport 22
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
John L Fjellstad wrote:
> You want to do update before you do set.
That sound you just heard was my palm slapping my forehead. For some
reason my brain didn't absorb the part of the man pages that said the
first rule that matches is the one that gets
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Marc wrote:
> Why not just try fail2ban from sarge-backports? Works great. And it's
> officially in etch.
Well, mostly because this is the first I've heard about fail2ban :-)
Thanks for the tip, I'll have a look at it.
- --
Jim Hyslop
Dreampossible:
ack,
> someone posted a link in this list to a blog that gave an Iptables
> recipe to limit connections to 5 per minute per IP address. So, I issued
> the commands:
>
> iptables -A INPUT -i ethLRZ -p tcp --dport 22 -m state --state NEW \
> -m recent --set --name SSH
>
>
Jim Hyslop wrote:
> someone posted a link in this list to a blog that gave an Iptables
> recipe to limit connections to 5 per minute per IP address. So, I issued
> the commands:
>
Why not just try fail2ban from sarge-backports? Works great. And it's
officially in etch.
--
To U
nk in this list to a blog that gave an Iptables
recipe to limit connections to 5 per minute per IP address. So, I issued
the commands:
iptables -A INPUT -i ethLRZ -p tcp --dport 22 -m state --state NEW \
-m recent --set --name SSH
iptables -A INPUT -i ethLRZ -p tcp --dport 22 -m state --state NE
#drop the traffic from this port range
> $IPTABLES -A ${CHN_BTBLOCKEDIPS} \
> -m iprange --src-range $IpRange -j DROP
> done < <(zcat ${P2PBLOCKLISTFILE} | iconv -f latin1 -t utf-8 - | dos2unix)
> }
This is definitivly to slow!
Why not dump the whole iptables a
On Fri, 23 Mar 2007, Andy Smith wrote:
> Have you tried inserting them as null routes into your routing table
> instead?
That won't be nice to the box, either.
> Even with ipset I would not consider putting this many rules into
> iptables.
It can be collapsed to one rule (or
On Tue, Mar 20, 2007 at 07:07:01PM -0400, H.S. wrote:
> I am playing round with the blocklist file obtained from peerguardian
> (level1.gz). I have written a bash function which I call in my iptables
> script to load these rules.
Have you tried inserting them as null routes into you
On Tue, 20 Mar 2007, H.S. wrote:
> Now, currently, there are around 151,000 ipranges listed in level1.gz to
> block. So the above function's loop goes over these many times inserting
See "ipset" and "nf-hipac" at http://www.netfilter.org for support for
heavy-duty, huge rulesets.
--
"One dis
On Wed, Mar 21, 2007 at 04:39:57PM -0400, H.S. wrote:
> I am not going to follow up on my current method. A better one is
> definitely needed.
Googling on the shorewall home page yielded the following:
http://www.shorewall.net/ipsets.html
...
...Ipsets provide an effecient way to repr
ositives (Using a differnt port that 22 seems to be easiest solution).
>> The result was the experiment to use the massive blocklist and to
>> automate the process in iptables firewall on a router -- needs iptables,
>> bash, curl and maybe pythong or perl. I am giving it a shot. As
te. I can give more pointers if this is not sufficient.
>
okay, I follow... and you want otherwise unfettered p2p operating, but
security from these particular sites. ugh. nasty problem.
> The result was the experiment to use the massive blocklist and to
> automate the process in iptabl
erguardian website and kind of took off from there. The purpose is to
block/drop traffic from all the ip ranges listed in blocklist provided
by peerguardian website. I can give more pointers if this is not sufficient.
The result was the experiment to use the massive blocklist and to
automate the p
On Wed, Mar 21, 2007 at 01:36:17PM -0400, H.S. wrote:
> Andrew Sackville-West wrote:
>
> >
> >nice to know that the connection is holding up, but there's got to be
> >a better way to do this. I'm not really up on iptables, but surely
> >there is some better
Andrew Sackville-West wrote:
nice to know that the connection is holding up, but there's got to be
a better way to do this. I'm not really up on iptables, but surely
there is some better way to distinguish the traffic to allow or not?
Maybe even just some judicious grepping of the ru
gt;>> router running Etch (Pentium III, 449MHz, 380 MB RAM).
> >>>
> >>> How can I speed this up? Advice?
> >>>
> >>> thanks,
> >>> ->HS
> >>
> >>
> >> Anyone ... ?
> >
> > That's a whole lott
>>>router running Etch (Pentium III, 449MHz, 380 MB RAM).
> >>>
> >>>How can I speed this up? Advice?
> >>>
> >>>thanks,
> >>>->HS
> >>
> >>
> >>Anyone ... ?
> >
> >That's a whole lotta r
any
noticeable performance cut so far.
have you tried to make up and input for iptables-restore and blast all
rules into iptables at once?
from the docs i've read this should be a faster.
on the other hand there is also nf-hipac (http://www.hipac.org/).
while i've not tried it, the
is is taking huge amount of
time: in over 50 minutes, only around 12% rules have been loaded on my
router running Etch (Pentium III, 449MHz, 380 MB RAM).
How can I speed this up? Advice?
thanks,
->HS
Anyone ... ?
That's a whole lotta rules. I'm not surprised that iptables doesn
for each range. And this is taking huge amount of
>> time: in over 50 minutes, only around 12% rules have been loaded on my
>> router running Etch (Pentium III, 449MHz, 380 MB RAM).
>>
>> How can I speed this up? Advice?
>>
>> thanks,
>> ->HS
>
H.S. wrote:
Now, currently, there are around 151,000 ipranges listed in level1.gz to
block. So the above function's loop goes over these many times inserting
the rules for each range. And this is taking huge amount of time: in
over 50 minutes, only around 12% rules have been loaded on my rou
Hello,
I am playing round with the blocklist file obtained from peerguardian
(level1.gz). I have written a bash function which I call in my iptables
script to load these rules.
The following function actually loads the rules from a gzipped file
(e.g. /etc/firewall/level1.gz, defined by the
> > Hello
> >> >
> >> > Need a little bit of help here... eth1 = Internet, eth0 = LAN, will
> >> > this work?
> >> >
> >> > iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 80 -j DNAT --to
> >> > 192.168.1.50:80
> >
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Giacomo Montagner wrote:
> On 3/3/07, John L Fjellstad <[EMAIL PROTECTED]> wrote:
>> Johnno <[EMAIL PROTECTED]> writes:
>>
>> > Hello
>> >
>> > Need a little bit of help here... eth1 = Internet,
On 3/3/07, John L Fjellstad <[EMAIL PROTECTED]> wrote:
Johnno <[EMAIL PROTECTED]> writes:
> Hello
>
> Need a little bit of help here... eth1 = Internet, eth0 = LAN, will
> this work?
>
> iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 80 -j DNAT --to
> 19
Johnno <[EMAIL PROTECTED]> writes:
> Hello
>
> Need a little bit of help here... eth1 = Internet, eth0 = LAN, will
> this work?
>
> iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 80 -j DNAT --to
> 192.168.1.50:80
> iptables -A INPUT -p tcp -m state --state NE
Hello
Need a little bit of help here... eth1 = Internet, eth0 = LAN, will this
work?
iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 80 -j DNAT --to
192.168.1.50:80
iptables -A INPUT -p tcp -m state --state NEW --dport 80 -i eth1 -j ACCEPT
Anything on port 80 to goto a internal server
On Sat, Feb 24, 2007 at 12:44:05AM +0100, Matt Miller wrote:
>
> I'm new to apt-build, so I may be missing something simple.
>
You might also want to try the instructions in my package customization
HOWTO:
http://people.connexer.com/~roberto/howtos/debcustomize
Regards,
-Roberto
--
Roberto C
Under etch I'm trying to use apt-build to apply the iptables "tproxy"
patch from balabit.com. The apt-build process seems to complete
properly when I use the --patch option to include the patch, and I get a
new .deb in my apt-build repository. However, when I use dpkg to
instal
On 2/6/07, Michael Pobega <[EMAIL PROTECTED]> wrote:
I've been trying to get iptables working so that I can finally have a
worthwhile client-side non-graphical firewall. So to test it out, I
typed these two commands:
/# iptables -A INPUT -p tcp --dport 80 -j ACCEPT
# iptables -A INPU
> I've been trying to get iptables working so that I can finally have a
> worthwhile client-side non-graphical firewall. So to test it out, I
> typed these two commands:
>
> /# iptables -A INPUT -p tcp --dport 80 -j ACCEPT
> # iptables -A INPUT -j REJECT
>
> /And
>Subject: iptables usage
>From: Michael Pobega <[EMAIL PROTECTED]>
>Date: Tue, 06 Feb 2007 22:01:23 -0500
>To: debian-user@lists.debian.org
>
>I've been trying to get iptables working so that I can finally have a
>worthwhile client-side non-graphical firewall. So to
Andrei Popescu wrote:
> On Wed, 07 Feb 2007 07:16:31 -0500
> Michael Pobega <[EMAIL PROTECTED]> wrote:
>
>
>>> P.S. You should start a new thread for new problems, you might get
>>> more answers that way
>>>
>> I thought this /was/ a new thread? :-P
>>
>
> Threading is not only done
On Tue, Feb 06, 2007 at 10:38:17PM -0500, Michael Pobega wrote:
> Douglas Allan Tutty wrote:
> > On Tue, Feb 06, 2007 at 10:01:23PM -0500, Michael Pobega wrote:
> >
> >> I've been trying to get iptables working so that I can finally have a
> >> worthwhile
On Wed, 07 Feb 2007 07:16:31 -0500
Michael Pobega <[EMAIL PROTECTED]> wrote:
> > P.S. You should start a new thread for new problems, you might get
> > more answers that way
> I thought this /was/ a new thread? :-P
Threading is not only done by subject, but primarily by 'In-Reply-To:'
and 'Refere
Michael Pobega wrote:
Douglas Allan Tutty wrote:
On Tue, Feb 06, 2007 at 10:01:23PM -0500, Michael Pobega wrote:
I've been trying to get iptables working so that I can finally have a
worthwhile client-side non-graphical firewall. So to test it out, I
typed these two com
On Tue, Feb 06, 2007 at 10:01:23PM -0500, Michael Pobega wrote:
> I've been trying to get iptables working so that I can finally have a
> worthwhile client-side non-graphical firewall. So to test it out, I
> typed these two commands:
>
Two things.
1. Please don't hijack
What is happening here is:
1. When you close all ports of your computer from input but port 80,
the iptables will block the http response wich isn't to your port 80.
I think that you need to close all connections to input but the
response or related packages, then you open all connectio
franck wrote:
> Michael Pobega wrote:
>> [...]
> Hi,
>
> What about the OUTPUT chain ? Have you set up more rules ? By default,
> iptables policy is to ACCEPT all paquets.
>
> Have a look at :
>
> iptables -L -v to see your rules.
>
> An iptables tutorial
On Tue, 06 Feb 2007 22:38:17 -0500
Michael Pobega <[EMAIL PROTECTED]> wrote:
> Douglas Allan Tutty wrote:
> > On Tue, Feb 06, 2007 at 10:01:23PM -0500, Michael Pobega wrote:
> >
> >> I've been trying to get iptables working so that I can finally
> >>
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Michael Pobega wrote:
> I've been trying to get iptables working so that I can finally have a
> worthwhile client-side non-graphical firewall. So to test it out, I
> typed these two commands:
>
> /# iptables -A INPUT -p tcp
Douglas Allan Tutty wrote:
> On Tue, Feb 06, 2007 at 10:01:23PM -0500, Michael Pobega wrote:
>
>> I've been trying to get iptables working so that I can finally have a
>> worthwhile client-side non-graphical firewall. So to test it out, I
>> typed these two command
On Tue, Feb 06, 2007 at 10:01:23PM -0500, Michael Pobega wrote:
> I've been trying to get iptables working so that I can finally have a
> worthwhile client-side non-graphical firewall. So to test it out, I
> typed these two commands:
>
> /# iptables -A INPUT -p tcp
I've been trying to get iptables working so that I can finally have a
worthwhile client-side non-graphical firewall. So to test it out, I
typed these two commands:
/# iptables -A INPUT -p tcp --dport 80 -j ACCEPT
# iptables -A INPUT -j REJECT
/And for some reason I completely lost my conne
> On Tue, Jan 09, 2007 at 03:59:44AM +0100, Marc wrote:
>> Hi there,
>> my kernel (2.6.18) has hashlimit support for iptables compiled in.
>> Now I try to insert a rule using hashlimit, then the following appears:
>>
>> iptables v1.2.11: Couldn't l
On Tue, Jan 09, 2007 at 03:59:44AM +0100, Marc wrote:
> Hi there,
> my kernel (2.6.18) has hashlimit support for iptables compiled in.
> Now I try to insert a rule using hashlimit, then the following appears:
>
> iptables v1.2.11: Couldn't load match
> `h
Hi there,
my kernel (2.6.18) has hashlimit support for iptables compiled in.
Now I try to insert a rule using hashlimit, then the following appears:
iptables v1.2.11: Couldn't load match
`hashlimit':/lib/iptables/libipt_hashlimit.so: cannot open shared object
file: No such file or dire
gt; >>
> >> > If you look at the number of lines of rules you make, and compare it
> >> > to the number of lines (pages!) of iptables rules it makes, you see
> >> > that shorewall is easier. Also the syntax is easier. Changes are
> >> &
John Hasler <[EMAIL PROTECTED]> writes:
> John L. Fjellstad writes:
>> shorewall creates pages of iptables rules and that is considered a good
>> thing?
>
> You'd rather write them all by hand?
You think creating "pages" of rules is Keeping I
[EMAIL PROTECTED] writes:
> On Thu, Oct 19, 2006 at 05:22:24PM -0700, John L Fjellstad wrote:
>> [EMAIL PROTECTED] writes:
>>
>> > If you look at the number of lines of rules you make, and compare it
>> > to the number of lines (pages!) of iptables rules it make
Doug writes:
> If you did it manually with fewer rules you would have a more porus
> firewall or you wouldn't have the services you want traversing the
> firewall. If you used too few rules you would have a screen door.
Not only is it important to have the right rules, but it is also important
to
John L. Fjellstad writes:
> shorewall creates pages of iptables rules and that is considered a good
> thing?
You'd rather write them all by hand?
--
John Hasler
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
On Thu, Oct 19, 2006 at 05:22:24PM -0700, John L Fjellstad wrote:
> [EMAIL PROTECTED] writes:
>
> > If you look at the number of lines of rules you make, and compare it
> > to the number of lines (pages!) of iptables rules it makes, you see
> > that shorewall is easier. A
[EMAIL PROTECTED] writes:
> If you look at the number of lines of rules you make, and compare it to
> the number of lines (pages!) of iptables rules it makes, you see that
> shorewall is easier. Also the syntax is easier. Changes are far
> easier. Besides, the shorewall book is t
On 10/19/2006 06:40 AM, L.V.Gandhi wrote:
On 10/19/06, Mumia W.. <[EMAIL PROTECTED]> wrote:
On 10/19/2006 12:39 AM, cothrige wrote:
> * John Hasler ([EMAIL PROTECTED]) wrote:
>> The name is misleading. Ipmasq configures both NAT and
firewalling. The
>> default configuration is suitable for mo
* Mumia W.. ([EMAIL PROTECTED]) wrote:
>
> This site, http://www.grc.com , has a service called Shields-Up that
> will help you find out what, if any, ports are open on your computer.
>
> Also, "netstat -putl" will let you find out what listening ports are open.
>
Many thanks.
Patrick
--
T
Þann 2006-10-19, 12:24:26 (+) skrifaði Andrew Critchlow:
> Hi, I am new to iptables, can anyone point me to a good link on how to learn
> iptables from scratch? Or anyone recommend a good book on it?
Hi, look at the comments to this post
http://www.debian-administration.org/articl
Hi, I am new to iptables, can anyone point me to a good link on how to learn iptables from scratch? Or anyone recommend a good book on it?
Many thanks
801 - 900 of 1891 matches
Mail list logo
