Difference between revisions of "Talk:Simple stateful firewall"

From ArchWiki
Jump to: navigation, search
m (IPv6 icmp replies: typo)
m (References to OPEN chain(s): rm closed discussion)
Line 26: Line 26:
 
   -A INPUT -j REJECT --reject-with  icmp6-adm-prohibited
 
   -A INPUT -j REJECT --reject-with  icmp6-adm-prohibited
 
:::I would argue there is no big harm done complying with it anyway (more the contrary: the connecting system learns there is an IPv6 capable fw). Do you see reasons not to do it like that? --[[User:Indigo|Indigo]] ([[User talk:Indigo|talk]]) 12:15, 15 September 2013 (UTC)
 
:::I would argue there is no big harm done complying with it anyway (more the contrary: the connecting system learns there is an IPv6 capable fw). Do you see reasons not to do it like that? --[[User:Indigo|Indigo]] ([[User talk:Indigo|talk]]) 12:15, 15 September 2013 (UTC)
 
== <s>References to OPEN chain(s)</s> ==
 
 
I've re-read the guide once again and noticed multiple references to a now non-existent OPEN chain. A few years ago the OPEN chain was split into OPEN-TCP and OPEN-UDP, now simply TCP and UDP. See the relevant edits: [https://wiki.archlinux.org/index.php?title=Simple_Stateful_Firewall&diff=99829&oldid=99828], [https://wiki.archlinux.org/index.php?title=Simple_Stateful_Firewall&diff=119618&oldid=119609].
 
 
There are two solutions, either drop the references to the OPEN chain(s) completely, or undo those very old edits. If there are no objections, I'll go with the former.
 
 
-- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 14:25, 8 September 2013 (UTC)
 
:+1 for the former. The first talk item shows as well that the old refs should be removed completely. --[[User:Indigo|Indigo]] ([[User talk:Indigo|talk]]) 21:45, 11 September 2013 (UTC)
 
 
:: Done, see if I missed something or if anything needs better wording: [https://wiki.archlinux.org/index.php?title=Simple_Stateful_Firewall&diff=275132&oldid=274755] -- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 06:17, 12 September 2013 (UTC)
 
::: Fine with me. One could really add other examples to those INPUT chains, e.g. the logdrop from the main iptables article instead of opening port after port, but that's another matter. --[[User:Indigo|Indigo]] ([[User talk:Indigo|talk]]) 18:32, 12 September 2013 (UTC)
 
 
:::: OK, I'll close this in the meantime. -- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 13:07, 13 September 2013 (UTC)
 

Revision as of 17:53, 2 October 2013

Clarification on syn scan rules

Maybe I misunderstood some of the instructions but I found that I needed to insert the rules into the chains TCP and UDP rather than OPEN-TCP and OPEN-UDP as the latter didn't exist:

# iptables -I TCP -p tcp -m recent --update --seconds 60 --name TCP-PORTSCAN -j REJECT --reject-with tcp-rst
# iptables -I UDP -p udp -m recent --update --seconds 60 --name UDP-PORTSCAN -j REJECT --reject-with port-unreach

I also found that I needed to add an --update:

# iptables -A INPUT -p icmp --icmp-type echo-request -m recent --name ping_limiter --hitcount 6 --seconds 4 -j DROP

I believe an --rcheck would also have worked. I'm not sure which would be correct. In general, I found this very helpful in conjunction with the man page for iptables. --Margali 21:57, 29 December 2011 (EST)

I just checked, the above suggestions are in the rules now. closing --Indigo (talk) 21:45, 11 September 2013 (UTC)

IPv6 icmp replies

For ipv6 adaptation. As --reject-with icmp6-proto-unreachable does not exist in ipv6, as told in the page, and according to the error messages description in the RFC [[1]]. I think the icmp6-adm-prohibited which means "Communication with destination administratively prohibited" may be the message to send. It is only by reading the RFC, I am not a network expert and I have no idea of what is generally done in this case.--Cladmi 07:28, 15 February 2012 (EST)

Other articles have suggested a vanilla reject, thus:
 -A INPUT -p tcp -j REJECT --reject-with tcp-reset
 -A INPUT -p udp -j REJECT --reject-with icmp6-port-unreachable
 -A INPUT -j REJECT

--Steve-o (talk) 13:44, 13 September 2013 (UTC)

I'd say it depends what you want to do and the link to the RFC above by Cladmi is perfectly correct. I would change your last rule to
  -A INPUT -j REJECT --reject-with  icmp6-adm-prohibited
I would argue there is no big harm done complying with it anyway (more the contrary: the connecting system learns there is an IPv6 capable fw). Do you see reasons not to do it like that? --Indigo (talk) 12:15, 15 September 2013 (UTC)