| 1 |
Walter Dnes wrote: |
| 2 |
> On Fri, Dec 28, 2012 at 01:07:11AM -0500, Michael Orlitzky wrote |
| 3 |
>> On 12/27/2012 10:59 PM, Walter Dnes wrote: |
| 4 |
>>> Here's my revised "Paranoia Plus" ruleset. Any comments? Because I'm |
| 5 |
>>> behind a NAT-ing ADSL router/modem, many of my rules rarely see hits. |
| 6 |
>>> However, I do have a backup dialup connection in case of problems, so |
| 7 |
>>> most of my rules don't specify the network interface. A couple of |
| 8 |
>>> notes... |
| 9 |
>>> |
| 10 |
>> I did a bunch of inline comments below as I was trying to understand the |
| 11 |
>> rules. At the end I give the tl;dr, but maybe the inline comments are |
| 12 |
>> useful too. |
| 13 |
> |
| 14 |
> Thanks. My ruleset has accumulated years of cruft. I should really |
| 15 |
> sit down and rewrite the thing from square 1. I have one comment. You |
| 16 |
> show what appears to be a bash script for setting up the rules. I work |
| 17 |
> with the contents of file /var/lib/iptables/rules-save instead. |
| 18 |
> |
| 19 |
|
| 20 |
Calling iptables repeatedly from a shell script is not advisable. A |
| 21 |
better approach is described by Jan Engelhardt in his "Towards the |
| 22 |
perfect ruleset" document: |
| 23 |
|
| 24 |
http://inai.de/documents/Perfect_Ruleset.pdf |
| 25 |
|
| 26 |
The method of working with /var/lib/iptables/rules-save is very similar |
| 27 |
to that which he describes. |
| 28 |
|
| 29 |
Cheers, |
| 30 |
|
| 31 |
--Kerin |
Archives