https://wiki.archlinux.org/api.php?action=feedcontributions&user=Aditya2013&feedformat=atomArchWiki - User contributions [en]2024-03-29T12:23:51ZUser contributionsMediaWiki 1.41.0https://wiki.archlinux.org/index.php?title=Talk:Simple_stateful_firewall&diff=281941Talk:Simple stateful firewall2013-11-08T04:16:06Z<p>Aditya2013: /* Script to automate the firewal setup */ new section</p>
<hr />
<div>== IPv6 icmp replies ==<br />
For ipv6 adaptation.<br />
As '''--reject-with icmp6-proto-unreachable''' does not exist in ipv6, as told in the page, and according to the error messages description in the RFC [[https://tools.ietf.org/html/rfc4443#section-3.1]].<br />
I think the '''icmp6-adm-prohibited''' which means "Communication with destination administratively prohibited" may be the message to send. It is only by reading the RFC, I am not a network expert and I have no idea of what is generally done in this case.--[[User:Cladmi|Cladmi]] 07:28, 15 February 2012 (EST)<br />
<br />
:: Other articles have suggested a vanilla reject, thus:<br />
<br />
-A INPUT -p tcp -j REJECT --reject-with tcp-reset<br />
-A INPUT -p udp -j REJECT --reject-with icmp6-port-unreachable<br />
-A INPUT -j REJECT<br />
<br />
--[[User:Steve-o|Steve-o]] ([[User talk:Steve-o|talk]]) 13:44, 13 September 2013 (UTC)<br />
:::I'd say it depends what you want to do and the link to the RFC above by Cladmi is perfectly correct. I would change your last rule to <br />
-A INPUT -j REJECT --reject-with icmp6-adm-prohibited<br />
:::I would argue there is no big harm done complying with it anyway (more the contrary: the connecting system learns there is an IPv6 capable fw). Do you see reasons not to do it like that? --[[User:Indigo|Indigo]] ([[User talk:Indigo|talk]]) 12:15, 15 September 2013 (UTC)<br />
<br />
== Script to automate the firewal setup ==<br />
<br />
I've created a script to set the rules for a common use case at https://gist.github.com/adityamukho/7366051<br />
<br />
It borrows some parts of sysctl setup from http://0v.org/installing-ghost-on-ubuntu-nginx-and-mysql/</div>Aditya2013https://wiki.archlinux.org/index.php?title=Talk:Nginx&diff=281940Talk:Nginx2013-11-08T03:30:58Z<p>Aditya2013: /* Bash Script for the Whole Setup */ new section</p>
<hr />
<div>== Run FastCGI as user, not root. ==<br />
<br />
After reading [http://library.linode.com/lemp-guides/ubuntu-10.04-lucid/#deploy_php_with_fastcgi this], why isn't the example in this wiki set to use the "http" user instead of root.<br />
<br />
== In step 3 for PHP ==<br />
the folder /srv/http/nginx does not exist. It should be /usr/share/nginx/http shouldn't it?<br />
<br />
== systemd fails to start php-fpm with settings in this article ==<br />
<br />
systemd gave error "Failed to get D-Bus connection". To fix, change the following in /etc/php/php-fpm.conf :<br />
<br />
;error_log = log/php-fpm.log<br />
to<br />
error_log = /var/log/php-fpm.log<br />
<br />
Not sure if this is confirmed, but seems to be common. Source: [http://www.howtoforge.com/installing-nginx-with-php5-and-php-fpm-and-mysql-support-on-opensuse-12.1 Installing Nginx With PHP5]<br />
<br />
Does anybody with wikiskills want to make the changes? I am new to wiki editing.<br />
: Check [[Help:Editing]] and [[Help:Style]], it is a good opportunity to get involved. -- [[User:Fengchao|Fengchao]] ([[User talk:Fengchao|talk]]) 05:54, 20 March 2013 (UTC)<br />
<br />
== Running nginx jailed ==<br />
<br />
Wouldn't be better to use systemd's {{ic|RootDirectory&#61;}} {{ic|User&#61;}} & {{ic|Group&#61;}} Options in the {{ic|[Service]}} section instead of running each {{ic|Exec*}} with {{ic|chroot}}?<br />
<br />
{{hc|/etc/sistemd/system/nginx.service|<br />
[Unit]<br />
Description&#61;A high performance web server and a reverse proxy server<br />
After&#61;syslog.target network.target<br />
<br />
[Service]<br />
Type&#61;forking<br />
RootDirectory&#61;/srv/http<br />
User&#61;http<br />
Group&#61;http<br />
PIDFile&#61;/run/nginx.pid<br />
ExecStartPre&#61;/usr/sbin/nginx -t -q -g 'pid /run/nginx.pid; daemon on; master_process on;'<br />
ExecStart&#61;/usr/sbin/nginx -g 'pid /run/nginx.pid; daemon on; master_process on;'<br />
ExecReload&#61;/usr/sbin/nginx -g 'pid /run/nginx.pid; daemon on; master_process on;' -s reload<br />
ExecStop&#61;/usr/sbin/nginx -g 'pid /run/nginx.pid;' -s quit<br />
<br />
[Install]<br />
WantedBy&#61;multi-user.target}}<br />
<br />
Also Jail's {{ic|/tmp}} and {{ic|/run}} tmpfs should be added to fstab for the service to load on reboot.<br />
<br />
== stanza is wrong ==<br />
<br />
the stanza refers to 'index.php', but it should refer to the proper PHP path --[[User:Legolas558|Legolas558]] ([[User talk:Legolas558|talk]]) 06:23, 14 May 2013 (UTC)<br />
<br />
== Bash Script for the Whole Setup ==<br />
<br />
I've created a bash script to run all the steps in the setup described in the main article:<br />
<br />
https://gist.github.com/adityamukho/7365731<br />
<br />
This can be used as is, for 64-bit systems. For 32-bit systems, a few modifications need to be made, esp line 41.</div>Aditya2013