IRC Logs

Network: freenode Channel: #iptables

	Enter your search terms Submit search form
	Web www.irclog.org

[12:06]<vzynm>if the attacker crafts his own code to write to that vulnerable part of the code
[12:06]<vzynm>then he can do many things within his crafted limit
[12:06]<vzynm>e.g., bring back a shell to his computer from yours
[12:06]<vzynm>or even rm -rf /
[12:07]<vzynm>or if the program was not ran with root priveleges, he can try to keep escelating priveleges
[12:07]<vzynm>your cgi apps might have vulnerabilities
[12:07]<vzynm>can you say you're a perfect coder? nobody can really
[12:07]<qzgvjuzysa>hmmm
[12:07]<vzynm>a good web pentesting tool is nikto
[12:07]<qzgvjuzysa>well i' do have to rewrite it this summer
[12:08]<vzynm>but that are still for common vulnerabilities
[12:08]<vzynm>misconfigurations, mostly
[12:08]<vzynm>and only checks a list on securityfocus and other popular databases
[12:09]<qzgvjuzysa>anyhows i must study computer architectures now
[12:09]<xzgmzyx>lol
[12:10]<vzynm>and i need to get this goddamn nat forwarding to work already ;-(
[12:10]<qzgvjuzysa>:)
[12:11]<vzynm>anyways Qantourisc
[12:11]<vzynm>you have 3 subjects to worry in overal security
[12:11]<vzynm>look at security at a networking point with snort and firewall rules
[12:11]<xzgmzyx>watching tv and jesus christ the guy took out a 6 inches deep piece of glas from his abdomen
[12:11]<vzynm>programming point with grsec and selinux
[12:12]<vzynm>and cryptologic point by using ciphers to encrypt data
[12:12]<qzgvjuzysa>ok
[12:12]<vzynm>so if you're studying security, that's the 3 subjects i'd focus on in improving overall security of your systems
[12:13]<xzgmzyx>tried, both selinux and grsec ?
[12:13]<qzgvjuzysa>tried: how do you feel about routers you buy ?
[12:13]<vzynm>both can work together, but you do not use them together
[12:13]<vzynm>you use 1
[12:14]<vzynm>hybrid MAC (RBAC) or close to pure MAC (selinux)
[12:14]<vzynm>i don't buy routers, i make them
[12:14]<qzgvjuzysa>:)
[12:14]<qzgvjuzysa>i know
[12:14]<vzynm>iptables is good for making routers
[12:15]<qzgvjuzysa>but how do you feel about them ?
[12:15]<vzynm>they're secure enough for the home user
[12:15]<vzynm>as long as it's configured correctly
[12:16]<xzgmzyx>tried, what about the linksys wrtg54 that u can install linux on
[12:16]<qzgvjuzysa>as in by the user or producer ?
[12:16]<vzynm>at a corporate standpoint, i'd say you'd need something more manageable
[12:16]<vzynm>linksys wrtg54 can work good if you put linux in it
[12:16]<vzynm>well the firmware is technically linux some say
[12:16]<vzynm>but if you're talking about openwrt, then yes, i don't see why it couldn't be configured to be a good router
[12:17]<qzgvjuzysa>tried: btw low or high interrupt rate for a router ?
[12:17]<vzynm>remember, it's not about the hardware, it's the configurations ;-)
[12:17]<vzynm>i'm not sure
[12:18]<qzgvjuzysa>i'd say hi, so you can act more quick on packages ?
[12:18]<qzgvjuzysa>in case your drivers use interupts
[12:18]<vzynm>that's got to be done with your own research
[12:18]<qzgvjuzysa>on the other hand it will increase cpu load for the same amount of traffic
[12:19]<vzynm>what kind of computer is your router?
[12:19]<qzgvjuzysa>x86
[12:19]<vzynm>well either way i can't tell you what to set your interrupt rates to
[12:19]<qzgvjuzysa>:)
[12:19]<vzynm>that's something you'd have to perform your own benchmarks with
[12:19]<vzynm>then set it accordingly
[12:20]<vzynm>it's kinda like asking me what you should set your front side bus on your cpu to
[12:20]<qzgvjuzysa>i think it will be the usual => low => hight bandwidth => high => faster responce time
[12:20]<qzgvjuzysa>tried: what about premptive ?
[12:20]<vzynm>now are you talking about QoS?
[12:21]<vzynm>that i cannot help you with
[12:21]<qzgvjuzysa>tried: no preemptive kernel
[12:21]<vzynm>that's by benchmark as well
[12:21]<qzgvjuzysa>ok thank you
[12:21]<vzynm>you'd have to experiment
[12:22]<qzgvjuzysa>i know 1000hz and low latency does not perform well :)
[12:22]<qzgvjuzysa>buts stays smooth
[12:22]<qzgvjuzysa>but effeciently drops like a brick
[12:22]<qzgvjuzysa>*efficiency
[12:22]<vzynm>and besides you run different applications on your router right?
[12:22]<qzgvjuzysa>yes, duno what load they will represent
[12:22]<vzynm>so i'm wondering even even if you tested it, then it will vary
[12:23]<qzgvjuzysa>:)
[12:23]<qzgvjuzysa>true
[12:23]<vzynm>so really, all that is entirely something you'd have to learn and configure
[12:23]<vzynm>or ask someone that knows better heh
[12:23]<qzgvjuzysa>well there are only 9 possible combinations so ...
[12:23]<qzgvjuzysa>and they can be tested 3 by 3
[12:24]<vzynm>do it, i stay away from it lol
[12:24]<qzgvjuzysa>?
[12:24]<qzgvjuzysa>how can you stay away from it ? you mean leave it default ?
[12:25]<vzynm>i don't remember touching kernel preemption settings even once
[12:26]<qzgvjuzysa>can be intresting if you need low latency or a number crunching machine
[12:26]<vzynm>i agree
[12:26]<vzynm>but i have no need for that here heh
[12:26]<qzgvjuzysa>i do :)
[12:26]<qzgvjuzysa>low latency games, routing (for games)
[12:26]<vzynm>that's mostly 2.4 kernel stuff
[12:26]<qzgvjuzysa>and number crunching: rendering
[12:27]<vzynm>us 2.6 people just enable it
[12:36]<vzynm>to answer your benchmarking questions, iptables will sometimes be processor heavy if you receive alot of packets and the packets go through the whole chain
[12:36]<vzynm>so don't ever set iptables with too low a priority or you will slow your network down
[12:36]<vzynm>anyways
[12:36]<qzgvjuzysa>well, no clue what will happen :)
[12:36]<vzynm>http://www.rafb.net/paste/results/mT6epe95.html
[12:36]<vzynm>does anyone know why the PREROUTING rules towards the end don't work?
[12:37]<qzgvjuzysa>tried: nice idea verry good idea to make a init for it !
[12:37]<vzynm>heh
[12:37]<qzgvjuzysa>tried: aldo i'd make DROP instead of STOP when the service is not started
[12:37]<qzgvjuzysa>i mean accept

Back to #iptables
Or go to some related logs:
#gentoo
#debian
#blender
#blender
#gentoo