Difference between revisions of "Talk:Simple stateful firewall"

From ArchWiki
Jump to: navigation, search
m (indent >.<)
(Script to automate the firewal setup: re)
(16 intermediate revisions by 8 users not shown)
Line 1: Line 1:
Still to finish: port knocking section, ssh bruteforce protection with recent module, rewrite of NAT section, firewall script. I'm probably going to end up rewriting a lot of the other stuff too, to make the article/guide easier to follow. [[User:Thestinger|Thestinger]] 12:50, 8 April 2010 (EDT)
+
== IPv6 icmp replies ==
 +
For ipv6 adaptation.
 +
As '''--reject-with icmp6-proto-unreachable''' does not exist in ipv6, as told in the page, and according to the error messages description in the RFC [[https://tools.ietf.org/html/rfc4443#section-3.1]].
 +
I think the '''icmp6-adm-prohibited''' which means "Communication with destination administratively prohibited" may be the message to send. It is only by reading the RFC, I am not a network expert and I have no idea of what is generally done in this case.--[[User:Cladmi|Cladmi]] 07:28, 15 February 2012 (EST)
  
:Also need to fix the portscanner section, right now a local windows machine will get themselves on the list from netbios stuff, it's just a matter of adding a limit to how many packets is normal and then putting ones that go over that on the recent list [[User:Thestinger|Thestinger]] 20:32, 19 April 2010 (EDT).
+
:: Other articles have suggested a vanilla reject, thus:
 +
 
 +
  -A INPUT -p tcp -j REJECT --reject-with tcp-reset
 +
  -A INPUT -p udp -j REJECT --reject-with icmp6-port-unreachable
 +
  -A INPUT -j REJECT
 +
 
 +
--[[User:Steve-o|Steve-o]] ([[User talk:Steve-o|talk]]) 13:44, 13 September 2013 (UTC)
 +
:::I'd say it depends what you want to do and the link to the RFC above by Cladmi is perfectly correct. I would change your last rule to
 +
  -A INPUT -j REJECT --reject-with  icmp6-adm-prohibited
 +
:::I would argue there is no big harm done complying with it anyway (more the contrary: the connecting system learns there is an IPv6 capable fw). Do you see reasons not to do it like that? --[[User:Indigo|Indigo]] ([[User talk:Indigo|talk]]) 12:15, 15 September 2013 (UTC)
 +
 
 +
== Script to automate the firewal setup ==
 +
 
 +
I've created a script to set the rules for a common use case at https://gist.github.com/adityamukho/7366051
 +
 
 +
It borrows some parts of sysctl setup from http://0v.org/installing-ghost-on-ubuntu-nginx-and-mysql/
 +
 
 +
:Please [[Help:Style#Discussion_pages|sign]] your posts by typing {{ic|<nowiki>~~~~</nowiki>}} next time.
 +
:You don't need a script to set up iptables, you can just copy the file containing the rules - and we [[Simple_Stateful_Firewall#Example_iptables.rules_file|already have that]]. Also the sysctl part is already on our wiki: [[Sysctl#TCP.2FIP_stack_hardening]]. Feel free to add any missing information, but I don't think it is necessary to include any scripts - they just prevent the user from understanding the core of the problem.
 +
:-- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 07:26, 8 November 2013 (UTC)

Revision as of 07:26, 8 November 2013

IPv6 icmp replies

For ipv6 adaptation. As --reject-with icmp6-proto-unreachable does not exist in ipv6, as told in the page, and according to the error messages description in the RFC [[1]]. I think the icmp6-adm-prohibited which means "Communication with destination administratively prohibited" may be the message to send. It is only by reading the RFC, I am not a network expert and I have no idea of what is generally done in this case.--Cladmi 07:28, 15 February 2012 (EST)

Other articles have suggested a vanilla reject, thus:
 -A INPUT -p tcp -j REJECT --reject-with tcp-reset
 -A INPUT -p udp -j REJECT --reject-with icmp6-port-unreachable
 -A INPUT -j REJECT

--Steve-o (talk) 13:44, 13 September 2013 (UTC)

I'd say it depends what you want to do and the link to the RFC above by Cladmi is perfectly correct. I would change your last rule to
  -A INPUT -j REJECT --reject-with  icmp6-adm-prohibited
I would argue there is no big harm done complying with it anyway (more the contrary: the connecting system learns there is an IPv6 capable fw). Do you see reasons not to do it like that? --Indigo (talk) 12:15, 15 September 2013 (UTC)

Script to automate the firewal setup

I've created a script to set the rules for a common use case at https://gist.github.com/adityamukho/7366051

It borrows some parts of sysctl setup from http://0v.org/installing-ghost-on-ubuntu-nginx-and-mysql/

Please sign your posts by typing ~~~~ next time.
You don't need a script to set up iptables, you can just copy the file containing the rules - and we already have that. Also the sysctl part is already on our wiki: Sysctl#TCP.2FIP_stack_hardening. Feel free to add any missing information, but I don't think it is necessary to include any scripts - they just prevent the user from understanding the core of the problem.
-- Lahwaacz (talk) 07:26, 8 November 2013 (UTC)