Difference between revisions of "Talk:Simple stateful firewall"

From ArchWiki
Jump to: navigation, search
(References to OPEN chain(s): new section)
(re old rules)
Line 1: Line 1:
 +
== <s>Clarification on syn scan rules </s>==
 
Maybe I misunderstood some of the instructions but I found that I needed to insert the rules into the chains TCP and UDP rather than OPEN-TCP and OPEN-UDP as the latter didn't exist:
 
Maybe I misunderstood some of the instructions but I found that I needed to insert the rules into the chains TCP and UDP rather than OPEN-TCP and OPEN-UDP as the latter didn't exist:
  
Line 9: Line 10:
  
 
I believe an --rcheck would also have worked. I'm not sure which would be correct. In general, I found this very helpful in conjunction with the man page for iptables. --[[User:Margali|Margali]] 21:57, 29 December 2011 (EST)
 
I believe an --rcheck would also have worked. I'm not sure which would be correct. In general, I found this very helpful in conjunction with the man page for iptables. --[[User:Margali|Margali]] 21:57, 29 December 2011 (EST)
 
+
: I just checked, the above suggestions are in the rules now. closing --[[User:Indigo|Indigo]] ([[User talk:Indigo|talk]]) 21:45, 11 September 2013 (UTC)
 
+
== IPv6 icmp replies ==
 
+
 
For ipv6 adaptation.
 
For ipv6 adaptation.
 
As '''--reject-with icmp6-proto-unreachable''' does not exist in ipv6, as told in the page, and according to the error messages description in the RFC [[https://tools.ietf.org/html/rfc4443#section-3.1]].
 
As '''--reject-with icmp6-proto-unreachable''' does not exist in ipv6, as told in the page, and according to the error messages description in the RFC [[https://tools.ietf.org/html/rfc4443#section-3.1]].
Line 23: Line 23:
  
 
-- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 14:25, 8 September 2013 (UTC)
 
-- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 14:25, 8 September 2013 (UTC)
 +
:+1 for the former. The first talk item shows as well that the old refs should be removed completely. --[[User:Indigo|Indigo]] ([[User talk:Indigo|talk]]) 21:45, 11 September 2013 (UTC)

Revision as of 21:45, 11 September 2013

Clarification on syn scan rules

Maybe I misunderstood some of the instructions but I found that I needed to insert the rules into the chains TCP and UDP rather than OPEN-TCP and OPEN-UDP as the latter didn't exist:

# iptables -I TCP -p tcp -m recent --update --seconds 60 --name TCP-PORTSCAN -j REJECT --reject-with tcp-rst
# iptables -I UDP -p udp -m recent --update --seconds 60 --name UDP-PORTSCAN -j REJECT --reject-with port-unreach

I also found that I needed to add an --update:

# iptables -A INPUT -p icmp --icmp-type echo-request -m recent --name ping_limiter --hitcount 6 --seconds 4 -j DROP

I believe an --rcheck would also have worked. I'm not sure which would be correct. In general, I found this very helpful in conjunction with the man page for iptables. --Margali 21:57, 29 December 2011 (EST)

I just checked, the above suggestions are in the rules now. closing --Indigo (talk) 21:45, 11 September 2013 (UTC)

IPv6 icmp replies

For ipv6 adaptation. As --reject-with icmp6-proto-unreachable does not exist in ipv6, as told in the page, and according to the error messages description in the RFC [[1]]. I think the icmp6-adm-prohibited which means "Communication with destination administratively prohibited" may be the message to send. It is only by reading the RFC, I am not a network expert and I have no idea of what is generally done in this case.--Cladmi 07:28, 15 February 2012 (EST)

References to OPEN chain(s)

I've re-read the guide once again and noticed multiple references to a now non-existent OPEN chain. A few years ago the OPEN chain was split into OPEN-TCP and OPEN-UDP, now simply TCP and UDP. See the relevant edits: [2], [3].

There are two solutions, either drop the references to the OPEN chain(s) completely, or undo those very old edits. If there are no objections, I'll go with the former.

-- Lahwaacz (talk) 14:25, 8 September 2013 (UTC)

+1 for the former. The first talk item shows as well that the old refs should be removed completely. --Indigo (talk) 21:45, 11 September 2013 (UTC)