1 |
On Tue, May 01, 2007 at 04:50:54PM -0400, waltdnes@××××××××.org wrote |
2 |
|
3 |
> RTFM didn't find anything useful and I know the rules worked before. |
4 |
> Help. |
5 |
|
6 |
For what it's worth, I'm running linux-2.6.20-gentoo-r7 on the Dell. |
7 |
|
8 |
I went and did it "the hard way". I started by commenting out almost |
9 |
everything. Then I uncommented one chain at a time until I ran into an |
10 |
error. Then I commented out one rule at the end until the error |
11 |
disappeared. I found two sets of problems... |
12 |
|
13 |
1) The working ruleset (on my main machine), starts off with... |
14 |
*filter |
15 |
:INPUT DROP |
16 |
:FORWARD DROP |
17 |
:OUTPUT DROP |
18 |
:DROP_LOG |
19 |
:ICMP_IN |
20 |
:PRIVATE |
21 |
:PRIVATE_LOG |
22 |
:TCP_IN |
23 |
:UDP_IN |
24 |
:UNSOLICITED |
25 |
|
26 |
Seems that the latest version does not like my own chains being |
27 |
declared this way. I got rid of the first batch of errors by switching |
28 |
the rules to... |
29 |
*filter |
30 |
:INPUT DROP [0:0] |
31 |
:FORWARD DROP [0:0] |
32 |
:OUTPUT DROP [0:0] |
33 |
-F |
34 |
-X |
35 |
-N DROP_LOG |
36 |
-N ICMP_IN |
37 |
-N PRIVATE |
38 |
-N PRIVATE_LOG |
39 |
-N TCP_IN |
40 |
-N UDP_IN |
41 |
-N UNSOLICITED |
42 |
|
43 |
The final remaining problem is with the 3 statements scattered |
44 |
through the rules... |
45 |
|
46 |
-A ICMP_IN -p icmp -m state --state NEW -j UNSOLICITED |
47 |
-A TCP_IN -p tcp -m state --state NEW -m tcp -j UNSOLICITED |
48 |
-A UDP_IN -p udp -m state --state NEW -j UNSOLICITED |
49 |
|
50 |
This works on the main system, with a slightly older kernel. On the |
51 |
Dell, running 2.6.20-r7, I have a whole bunch of stuff enabled in the |
52 |
kernel, including... |
53 |
|
54 |
[*] Network packet filtering framework (Netfilter) ---> |
55 |
<*> Netfilter Xtables support (required for ip_tables) |
56 |
|
57 |
Core Netfilter Configuration ---> |
58 |
<*> Netfilter Xtables support (required for ip_tables) |
59 |
<*> "conntrack" connection tracking match support |
60 |
<*> "state" match support |
61 |
|
62 |
IP: Netfilter Configuration ---> |
63 |
<*> IP tables support (required for filtering/masq/NAT) |
64 |
<*> Packet filtering |
65 |
|
66 |
In case someone's wondering... I don't want/need router |
67 |
functionality. I don't want/need NATing functionality. I don't |
68 |
want/need mangling or QOS or other fancy stuff. I just want a stinking |
69 |
firewall. What is the minimum I need to enable to get the above 3 |
70 |
statements to work? |
71 |
|
72 |
-- |
73 |
Walter Dnes <waltdnes@××××××××.org> In linux /sbin/init is Job #1 |
74 |
Q. Mr. Ghandi, what do you think of Microsoft security? |
75 |
A. I think it would be a good idea. |
76 |
-- |
77 |
gentoo-user@g.o mailing list |