Difference between revisions of "Talk:Simple stateful firewall"

From ArchWiki
Jump to: navigation, search
m (moved Talk:Simple stateful firewall HOWTO to Talk:Simple stateful firewall: naming conventions - other guides don't contain "HOWTO")
(Script to automate the firewal setup: re)
(20 intermediate revisions by 8 users not shown)
Line 1: Line 1:
I'm doing a rewrite of this article to make it more correct and simple, and also to cleanup a lot of unnecessary info. Once the cleanup, etc is done the merge to the iptables article that is suggested on the iptables discussion page will make a lot more sense [[User:Thestinger|Thestinger]] 07:28, 12 March 2010 (EST)
+
== IPv6 icmp replies ==
 +
For ipv6 adaptation.
 +
As '''--reject-with icmp6-proto-unreachable''' does not exist in ipv6, as told in the page, and according to the error messages description in the RFC [[https://tools.ietf.org/html/rfc4443#section-3.1]].
 +
I think the '''icmp6-adm-prohibited''' which means "Communication with destination administratively prohibited" may be the message to send. It is only by reading the RFC, I am not a network expert and I have no idea of what is generally done in this case.--[[User:Cladmi|Cladmi]] 07:28, 15 February 2012 (EST)
  
:Except for a few more tweaks, I'm pretty much done with the [[Simple_stateful_firewall_HOWTO#Firewall_for_a_single_machine]] section. I'm going to rewrite the script at the bottom to contain the new rules. Also, I plan on adding a section about the recent module to the "hide your computer" section that shows how to trick portscanners into thinking open ports are closed. Once that's done, I'll read over the NAT section and see what I can do to improve it. :[[User:Thestinger|Thestinger]] 10:25, 15 March 2010 (EDT)
+
:: Other articles have suggested a vanilla reject, thus:
  
::Still to finish: port knocking section, ssh bruteforce protection with recent module, rewrite of NAT section, firewall script. I'm probably going to end up rewriting a lot of the other stuff too, to make the article/guide easier to follow. [[User:Thestinger|Thestinger]] 12:50, 8 April 2010 (EDT)
+
  -A INPUT -p tcp -j REJECT --reject-with tcp-reset
 +
  -A INPUT -p udp -j REJECT --reject-with icmp6-port-unreachable
 +
  -A INPUT -j REJECT
  
== NAT ==
+
--[[User:Steve-o|Steve-o]] ([[User talk:Steve-o|talk]]) 13:44, 13 September 2013 (UTC)
 +
:::I'd say it depends what you want to do and the link to the RFC above by Cladmi is perfectly correct. I would change your last rule to
 +
  -A INPUT -j REJECT --reject-with  icmp6-adm-prohibited
 +
:::I would argue there is no big harm done complying with it anyway (more the contrary: the connecting system learns there is an IPv6 capable fw). Do you see reasons not to do it like that? --[[User:Indigo|Indigo]] ([[User talk:Indigo|talk]]) 12:15, 15 September 2013 (UTC)
  
The NAT section here is incomplete and there is a far superior article here: [[NAT'ing firewall - Share your broadband connection]]. If no one opposes it, I'm going to work on improving [[NAT'ing firewall - Share your broadband connection]] and then get rid of the NAT section here once it has no unique information. This article is for a "Simple Stateful Firewall", not an NAT. [[User:Thestinger|Thestinger]] 13:35, 9 April 2010 (EDT)
+
== Script to automate the firewal setup ==
 +
 
 +
I've created a script to set the rules for a common use case at https://gist.github.com/adityamukho/7366051
 +
 
 +
It borrows some parts of sysctl setup from http://0v.org/installing-ghost-on-ubuntu-nginx-and-mysql/
 +
 
 +
:Please [[Help:Style#Discussion_pages|sign]] your posts by typing {{ic|<nowiki>~~~~</nowiki>}} next time.
 +
:You don't need a script to set up iptables, you can just copy the file containing the rules - and we [[Simple_Stateful_Firewall#Example_iptables.rules_file|already have that]]. Also the sysctl part is already on our wiki: [[Sysctl#TCP.2FIP_stack_hardening]]. Feel free to add any missing information, but I don't think it is necessary to include any scripts - they just prevent the user from understanding the core of the problem.
 +
:-- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 07:26, 8 November 2013 (UTC)

Revision as of 07:26, 8 November 2013

IPv6 icmp replies

For ipv6 adaptation. As --reject-with icmp6-proto-unreachable does not exist in ipv6, as told in the page, and according to the error messages description in the RFC [[1]]. I think the icmp6-adm-prohibited which means "Communication with destination administratively prohibited" may be the message to send. It is only by reading the RFC, I am not a network expert and I have no idea of what is generally done in this case.--Cladmi 07:28, 15 February 2012 (EST)

Other articles have suggested a vanilla reject, thus:
 -A INPUT -p tcp -j REJECT --reject-with tcp-reset
 -A INPUT -p udp -j REJECT --reject-with icmp6-port-unreachable
 -A INPUT -j REJECT

--Steve-o (talk) 13:44, 13 September 2013 (UTC)

I'd say it depends what you want to do and the link to the RFC above by Cladmi is perfectly correct. I would change your last rule to
  -A INPUT -j REJECT --reject-with  icmp6-adm-prohibited
I would argue there is no big harm done complying with it anyway (more the contrary: the connecting system learns there is an IPv6 capable fw). Do you see reasons not to do it like that? --Indigo (talk) 12:15, 15 September 2013 (UTC)

Script to automate the firewal setup

I've created a script to set the rules for a common use case at https://gist.github.com/adityamukho/7366051

It borrows some parts of sysctl setup from http://0v.org/installing-ghost-on-ubuntu-nginx-and-mysql/

Please sign your posts by typing ~~~~ next time.
You don't need a script to set up iptables, you can just copy the file containing the rules - and we already have that. Also the sysctl part is already on our wiki: Sysctl#TCP.2FIP_stack_hardening. Feel free to add any missing information, but I don't think it is necessary to include any scripts - they just prevent the user from understanding the core of the problem.
-- Lahwaacz (talk) 07:26, 8 November 2013 (UTC)