Talk:Simple stateful firewall

From ArchWiki
Revision as of 18:32, 12 September 2013 by Indigo (talk | contribs) (References to OPEN chain(s): re)
Jump to: navigation, search

Clarification on syn scan rules

Maybe I misunderstood some of the instructions but I found that I needed to insert the rules into the chains TCP and UDP rather than OPEN-TCP and OPEN-UDP as the latter didn't exist:

# iptables -I TCP -p tcp -m recent --update --seconds 60 --name TCP-PORTSCAN -j REJECT --reject-with tcp-rst
# iptables -I UDP -p udp -m recent --update --seconds 60 --name UDP-PORTSCAN -j REJECT --reject-with port-unreach

I also found that I needed to add an --update:

# iptables -A INPUT -p icmp --icmp-type echo-request -m recent --name ping_limiter --hitcount 6 --seconds 4 -j DROP

I believe an --rcheck would also have worked. I'm not sure which would be correct. In general, I found this very helpful in conjunction with the man page for iptables. --Margali 21:57, 29 December 2011 (EST)

I just checked, the above suggestions are in the rules now. closing --Indigo (talk) 21:45, 11 September 2013 (UTC)

IPv6 icmp replies

For ipv6 adaptation. As --reject-with icmp6-proto-unreachable does not exist in ipv6, as told in the page, and according to the error messages description in the RFC [[1]]. I think the icmp6-adm-prohibited which means "Communication with destination administratively prohibited" may be the message to send. It is only by reading the RFC, I am not a network expert and I have no idea of what is generally done in this case.--Cladmi 07:28, 15 February 2012 (EST)

References to OPEN chain(s)

I've re-read the guide once again and noticed multiple references to a now non-existent OPEN chain. A few years ago the OPEN chain was split into OPEN-TCP and OPEN-UDP, now simply TCP and UDP. See the relevant edits: [2], [3].

There are two solutions, either drop the references to the OPEN chain(s) completely, or undo those very old edits. If there are no objections, I'll go with the former.

-- Lahwaacz (talk) 14:25, 8 September 2013 (UTC)

+1 for the former. The first talk item shows as well that the old refs should be removed completely. --Indigo (talk) 21:45, 11 September 2013 (UTC)
Done, see if I missed something or if anything needs better wording: [4] -- Lahwaacz (talk) 06:17, 12 September 2013 (UTC)
Fine with me. One could really add other examples to those INPUT chains, e.g. the logdrop from the main iptables article instead of opening port after port, but that's another matter. --Indigo (talk) 18:32, 12 September 2013 (UTC)