IRC Networks
Irc Logs Stats
Start date: 2007-09-27 02:48:27
Last update: 2008-10-24 20:19:38
Channels: 41
Logged Lines: 6230436
Size: 1825.82 MB
Powered by
Channel Info
Network: freenodeChannel: #iptables |
Search in www.irclog.org
Log from #iptables at freenode 2006-07-10
[00:00]<cydj>one more thing .. what are the recommended /proc settings? I know about tcp_syncookies & rp_filter, anything else worth noticing ?
[00:01]<mrrynfmr>only other one I know of is /proc/sys/net/netfilter/ip_conntrack_tcp_loose - set it to zero about 20 minutes after a reboot of the router
[00:01]<mrrynfmr>that lets the router pick up already-established connections
[00:02]<cydj>duh! did I miss a message over that netsplit?! (I only got "that lets the router pick up already-established connections")
[00:03]<mrrynfmr>> the only other one I know of is /proc/sys/net/netfilter/ip_conntrack_tcp_loose - set it to zero about 20 minutes after a reboot of the router
[00:03]<cydj>thnx ...
[00:03]<cydj>I am thinking rp_filter is useless as well, if I make FORWARD policy DROP, right?
[00:04]<cydj>and only forward packets, internal 2 output
[00:04]<mrrynfmr>rp_filter might still be useful - don't disable it unless you have a reason
[00:04]<cydj>just in case :)
[00:05]<mrrynfmr>you are correct that it won't make any difference though
[00:06]<cydj>also, a rule blocking spoofed packets coming on public interface such as
[00:07]<cydj>iptables -A INPUT -i eth0 -s 192.168.0.0/24 -j DROP
[00:07]<cydj>is useless if I am using rp_filter, correct ?
[00:07]<mrrynfmr>I think so
[00:07]<cydj>thanks man ..
[00:10]<cydj>why would --state NEW, be better than --syn ? (if it is)
[00:11]<mrrynfmr>it handles UDP, and it uses the conntrack instead of just the TCP flags
[00:11]<cydj>what's the meaning of (-s 0/0 -d 0/0 )
[00:11]<mrrynfmr>no meaning
[00:12]<cydj>iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 80 --syn -j ACCEPT
[00:12]<mrrynfmr>is exactly identical to iptables -A INPUT -p tcp --dport 80 --syn -j ACCEPT
[00:12]<cydj>oh ok ..
[00:13]<mrrynfmr>otherwise, -s and -d specify soruce & destination IPs
[00:16]<cydj>If I run a mailserver behind a firewall, I *have* to DNAT to the mail server, right? It is never accessible in any direct *forwarding* manner ?
[00:17]<cydj>perhaps maybe if the mailserver has a real IP?!
[00:18]<mrrynfmr>if the mailserver has a real IP, the router could route things to it
[00:18]<mrrynfmr>but the router would have to know the IP and have a route for it
[00:18]<mrrynfmr>(or the mailserver would need its own connection to the internet)
[00:18]<cydj>yeah ... so if it has a 192.168 IP, then I have to DNAT ?
[00:19]<mrrynfmr>yes
[00:22]<cydj>If I query my ISP DNS server, the reply is sent over UDP. Would this be considered (ESTABLISHED,RELATED) ?
[00:22]<mrrynfmr>ESTABLISHED
[00:22]<drwygn>hmmm... ESTABLISHED is the state of the TCP connection - it could also be FIN_WAIT or other things
[00:23]<cydj>maxine: so would an INPUT ESTABLISHED rule let it in ?
[00:23]<drwygn>kimo: wish i knew
[00:23]<mrrynfmr>maxine is a bot
[00:24]<cydj>danieldg: weird, UDP is connectionless !
[00:24]<mrrynfmr>but conntrack tracks it anyway
[00:24]<cydj>but how does it track it ? (packet timing?)
[00:24]<mrrynfmr>yep, timing and port numbers
[00:25]<cydj>smart little genie :)
[00:30]<cydj>is there " -j DENY" !
[00:30]<mrrynfmr>-j DROP or -j REJECT?
[00:30]<cydj>yeah!
[00:35]<cydj>using custom chains, is purely for performance optimization, AFAIK, correct ?
[00:35]<mrrynfmr>there are other reasons too
[00:35]<mrrynfmr>but mostly yes
[00:35]<cydj>thanks ...
[00:52]<cydj>I'm presenting about iptables tomorrow, what are some interesting modules for netfilter ?? (I know about -m limit, recent)
[00:54]<mrrynfmr>owner, for outbound filtering
[00:54]<cydj>who would put users on gateway machine :)
[00:55]<mrrynfmr>well, you can have a firewall on a server... ;)
[00:55]<mrrynfmr>u32, for arbitrary packet inspection
[00:56]<mrrynfmr>maybe ipp2p
[00:57]<mrrynfmr>I think u32 and ipp2p require a kernel patch
[00:58]<cydj>thnx .. ipp2p does sound very interesting
[01:01]<cydj>just a weird question ... say I have webserver, and all other service are closed (nmap only finds port 80 open), why would a firewall still be important to run on such a host!!
[01:01]<mrrynfmr>an outbound firewall might be useful
[01:01]<cydj>why
[01:02]<mrrynfmr>it could prevent any outbound connections by the UID of the webserver
[01:02]<mrrynfmr>so when some script kidde finds an exploit on your server, he can't get it to download anything for him
[01:04]<cydj>yeah ... but most of the work goes into filtering input chain, and usually there is no server listening there. Seems like firewalling in general is not so important, unless someone forgets a server running by mistake! or am I horribly mistaken!
[01:04]<mrrynfmr>mostly, yes
[01:04]<mrrynfmr>it does help if you start a service by accident / is started by installer without your knowledge
[01:05]<cydj>:) You cant beleive how many people think of a FW as the network security silver bullet
[01:06]<mrrynfmr>kinda...
[01:07]<mrrynfmr>not running stuff as root is also good
[01:07]<cydj>yeah, but local priv escalation is not so difficult these days
[01:08]<cydj>I'm running oracle on real IPs and wish I could make a selinux policy for them. The policy is just darn hard to play with!
[01:25]<cydj>what's a use for mangle. I have never seen it doing anything useful!
[01:25]<mrrynfmr>changing TTL or TOS bits
[01:25]<mrrynfmr>using MARK for QoS
[01:27]<cydj>can u give a real world example please. ie match to what to perform what?
[01:27]<cydj>I've neber played with TOS or QoS :)
[01:27]<cydj>never*
[01:27]<mrrynfmr>http://lartc.org/howto/lartc.netfilter.html
[01:28]<cydj>thnx ..
[02:31]<-- pzjsv2uzg xzs puy>net irc")
[06:47]<ajgm1zm>hi
[06:47]<ajgm1zm>any good howto's on how to cluster IPTables ?
[10:18]<rzrrygus>morning
[10:18]<rzrrygus>anyone awake?
[10:50]<ajs2d>hi
[10:50]<drwygn>que tal, cosby.
[10:51]<ajs2d>can u hepl?
[10:51]<rzrrygus>im looking for help too
[10:51]<rzrrygus>:(
[10:51]<sgnzcm_bzsvzzm>post your question
[10:51]<sgnzcm_bzsvzzm>or nobody can help
[10:51]<ajs2d>how can i dl porn?
[10:52]<sgnzcm_bzsvzzm>cosby: you can pretty easily get banned from here too
[10:52]<ajs2d>should i leave?
[10:52]<sgnzcm_bzsvzzm>arcainus: what is your question ?
[10:52]<rzrrygus>now ur awake ;)
[10:53]<rzrrygus>ok...i have a firewall...a server and a client
