1 |
Walter Dnes wrote: |
2 |
> On Fri, Dec 28, 2012 at 01:07:11AM -0500, Michael Orlitzky wrote |
3 |
>> On 12/27/2012 10:59 PM, Walter Dnes wrote: |
4 |
>>> Here's my revised "Paranoia Plus" ruleset. Any comments? Because I'm |
5 |
>>> behind a NAT-ing ADSL router/modem, many of my rules rarely see hits. |
6 |
>>> However, I do have a backup dialup connection in case of problems, so |
7 |
>>> most of my rules don't specify the network interface. A couple of |
8 |
>>> notes... |
9 |
>>> |
10 |
>> I did a bunch of inline comments below as I was trying to understand the |
11 |
>> rules. At the end I give the tl;dr, but maybe the inline comments are |
12 |
>> useful too. |
13 |
> |
14 |
> Thanks. My ruleset has accumulated years of cruft. I should really |
15 |
> sit down and rewrite the thing from square 1. I have one comment. You |
16 |
> show what appears to be a bash script for setting up the rules. I work |
17 |
> with the contents of file /var/lib/iptables/rules-save instead. |
18 |
> |
19 |
|
20 |
Calling iptables repeatedly from a shell script is not advisable. A |
21 |
better approach is described by Jan Engelhardt in his "Towards the |
22 |
perfect ruleset" document: |
23 |
|
24 |
http://inai.de/documents/Perfect_Ruleset.pdf |
25 |
|
26 |
The method of working with /var/lib/iptables/rules-save is very similar |
27 |
to that which he describes. |
28 |
|
29 |
Cheers, |
30 |
|
31 |
--Kerin |