| 1 |
On Tue, May 01, 2007 at 04:50:54PM -0400, waltdnes@××××××××.org wrote |
| 2 |
|
| 3 |
> RTFM didn't find anything useful and I know the rules worked before. |
| 4 |
> Help. |
| 5 |
|
| 6 |
For what it's worth, I'm running linux-2.6.20-gentoo-r7 on the Dell. |
| 7 |
|
| 8 |
I went and did it "the hard way". I started by commenting out almost |
| 9 |
everything. Then I uncommented one chain at a time until I ran into an |
| 10 |
error. Then I commented out one rule at the end until the error |
| 11 |
disappeared. I found two sets of problems... |
| 12 |
|
| 13 |
1) The working ruleset (on my main machine), starts off with... |
| 14 |
*filter |
| 15 |
:INPUT DROP |
| 16 |
:FORWARD DROP |
| 17 |
:OUTPUT DROP |
| 18 |
:DROP_LOG |
| 19 |
:ICMP_IN |
| 20 |
:PRIVATE |
| 21 |
:PRIVATE_LOG |
| 22 |
:TCP_IN |
| 23 |
:UDP_IN |
| 24 |
:UNSOLICITED |
| 25 |
|
| 26 |
Seems that the latest version does not like my own chains being |
| 27 |
declared this way. I got rid of the first batch of errors by switching |
| 28 |
the rules to... |
| 29 |
*filter |
| 30 |
:INPUT DROP [0:0] |
| 31 |
:FORWARD DROP [0:0] |
| 32 |
:OUTPUT DROP [0:0] |
| 33 |
-F |
| 34 |
-X |
| 35 |
-N DROP_LOG |
| 36 |
-N ICMP_IN |
| 37 |
-N PRIVATE |
| 38 |
-N PRIVATE_LOG |
| 39 |
-N TCP_IN |
| 40 |
-N UDP_IN |
| 41 |
-N UNSOLICITED |
| 42 |
|
| 43 |
The final remaining problem is with the 3 statements scattered |
| 44 |
through the rules... |
| 45 |
|
| 46 |
-A ICMP_IN -p icmp -m state --state NEW -j UNSOLICITED |
| 47 |
-A TCP_IN -p tcp -m state --state NEW -m tcp -j UNSOLICITED |
| 48 |
-A UDP_IN -p udp -m state --state NEW -j UNSOLICITED |
| 49 |
|
| 50 |
This works on the main system, with a slightly older kernel. On the |
| 51 |
Dell, running 2.6.20-r7, I have a whole bunch of stuff enabled in the |
| 52 |
kernel, including... |
| 53 |
|
| 54 |
[*] Network packet filtering framework (Netfilter) ---> |
| 55 |
<*> Netfilter Xtables support (required for ip_tables) |
| 56 |
|
| 57 |
Core Netfilter Configuration ---> |
| 58 |
<*> Netfilter Xtables support (required for ip_tables) |
| 59 |
<*> "conntrack" connection tracking match support |
| 60 |
<*> "state" match support |
| 61 |
|
| 62 |
IP: Netfilter Configuration ---> |
| 63 |
<*> IP tables support (required for filtering/masq/NAT) |
| 64 |
<*> Packet filtering |
| 65 |
|
| 66 |
In case someone's wondering... I don't want/need router |
| 67 |
functionality. I don't want/need NATing functionality. I don't |
| 68 |
want/need mangling or QOS or other fancy stuff. I just want a stinking |
| 69 |
firewall. What is the minimum I need to enable to get the above 3 |
| 70 |
statements to work? |
| 71 |
|
| 72 |
-- |
| 73 |
Walter Dnes <waltdnes@××××××××.org> In linux /sbin/init is Job #1 |
| 74 |
Q. Mr. Ghandi, what do you think of Microsoft security? |
| 75 |
A. I think it would be a good idea. |
| 76 |
-- |
| 77 |
gentoo-user@g.o mailing list |
Archives