Mailinglist Archive: opensuse-bugs (9721 mails)
| < Previous | Next > |
[Bug 344648] advanced iptables config
- From: bugzilla_noreply@xxxxxxxxxx
- Date: Fri, 30 Nov 2007 08:20:18 -0700 (MST)
- Message-id: <20071130152018.117FC24538D@xxxxxxxxxxxxxxxxxxxxxx>
https://bugzilla.novell.com/show_bug.cgi?id=344648#c2
Lukas Ocilka <locilka@xxxxxxxxxx> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |NEEDINFO
Info Provider|
|lnussel@xxxxxxxxxx
--- Comment #2 from Lukas Ocilka <locilka@xxxxxxxxxx> 2007-11-30 08:20:17 MST
---
Hmm, I'll check how it is possible to add custom rules of this level.
There are already some custom rules but you can't modify add
iptables -A INPUT -m state --state INVALID -j DROP
On the other hand, does it mean that all INVALID packets are dropped by
default?
See /etc/sysconfig/SuSEfirewall2
## Type: yesno
## Default: no
#
# 26.)
# Do you want to REJECT packets instead of DROPing?
#
# DROPing (which is the default) will make portscans and attacks much
# slower, as no replies to the packets will be sent. REJECTing means, that
# for every illegal packet, a connection reject packet is sent to the
# sender.
#
# Choice: "yes" or "no", if not set defaults to "no"
#
# Defaults to "no" if not set
#
FW_REJECT=""
So, they're actually dropped by default.
My current iptables:
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
input_int all -- 0.0.0.0/0 0.0.0.0/0
input_ext all -- 0.0.0.0/0 0.0.0.0/0
input_ext all -- 0.0.0.0/0 0.0.0.0/0
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min
burst 5 LOG flags 6 level 4 prefix `SFW2-IN-ILL-TARGET '
DROP all -- 0.0.0.0/0 0.0.0.0/0
Not accepted packets are dropped (and logged).
Ludwig: is there some way we can do the requested '--state INVALID -j DROP' at
the beginning of the iptables rules?
--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
Lukas Ocilka <locilka@xxxxxxxxxx> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |NEEDINFO
Info Provider|
|lnussel@xxxxxxxxxx
--- Comment #2 from Lukas Ocilka <locilka@xxxxxxxxxx> 2007-11-30 08:20:17 MST
---
Hmm, I'll check how it is possible to add custom rules of this level.
There are already some custom rules but you can't modify add
iptables -A INPUT -m state --state INVALID -j DROP
On the other hand, does it mean that all INVALID packets are dropped by
default?
See /etc/sysconfig/SuSEfirewall2
## Type: yesno
## Default: no
#
# 26.)
# Do you want to REJECT packets instead of DROPing?
#
# DROPing (which is the default) will make portscans and attacks much
# slower, as no replies to the packets will be sent. REJECTing means, that
# for every illegal packet, a connection reject packet is sent to the
# sender.
#
# Choice: "yes" or "no", if not set defaults to "no"
#
# Defaults to "no" if not set
#
FW_REJECT=""
So, they're actually dropped by default.
My current iptables:
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
input_int all -- 0.0.0.0/0 0.0.0.0/0
input_ext all -- 0.0.0.0/0 0.0.0.0/0
input_ext all -- 0.0.0.0/0 0.0.0.0/0
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min
burst 5 LOG flags 6 level 4 prefix `SFW2-IN-ILL-TARGET '
DROP all -- 0.0.0.0/0 0.0.0.0/0
Not accepted packets are dropped (and logged).
Ludwig: is there some way we can do the requested '--state INVALID -j DROP' at
the beginning of the iptables rules?
--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
| < Previous | Next > |