Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-user

From: Michael Mol <mikemol@×××××.com>
To: gentoo-user@l.g.o
Subject: Re: [gentoo-user] IPTABLES syntax change?
Date: Fri, 04 Jan 2013 20:30:01
Message-Id: CA+czFiAfUwJUT0nvms5mM6eKmB-R3br0T27kgRGvy_1UVX0LmQ@mail.gmail.com
In Reply to: Re: [gentoo-user] IPTABLES syntax change? by Walter Dnes
1 On Fri, Jan 4, 2013 at 3:17 PM, Walter Dnes <waltdnes@××××××××.org> wrote:
2 > On Wed, Jan 02, 2013 at 11:32:58PM -0500, Michael Orlitzky wrote
3 >> On 12/30/2012 10:21 PM, Walter Dnes wrote:
4 >> > [0:0] -A FECESBOOK -j LOG --log-prefix "FECESBOOK:" --log-level 6
5 >> > [0:0] -A FECESBOOK -j DROP
6 >> > [0:0] -A INPUT -s 192.168.123.248/29 -i eth0 -j ACCEPT
7 >> > [0:0] -A INPUT -s 169.254.0.0/16 -i eth0 -j ACCEPT
8 >> > [0:0] -A INPUT -i lo -j ACCEPT
9 >> > [0:0] -A INPUT -m conntrack --ctstate INVALID,NEW -j UNSOLICITED
10 >>
11 >> In fact, since you're blocking all outgoing packets to facebook, the
12 >> only state that a packet from facebook can have here is INVALID or NEW.
13 >> So traffic from facebook will be sent to the UNSOLICITED chain and DROPped.
14 >>
15 >>
16 >> > [0:0] -A INPUT -s 69.63.176.0/20 -j FECESBOOK
17 >> > [0:0] -A INPUT -s 69.220.144.0/20 -j FECESBOOK
18 >> > [0:0] -A INPUT -s 69.63.176.0/20 -j FECESBOOK
19 >> > [0:0] -A INPUT -s 69.171.224.0/19 -j FECESBOOK
20 >> > [0:0] -A INPUT -s 200.58.112.0/20 -j FECESBOOK
21 >> > [0:0] -A INPUT -s 213.155.64.0/19 -j FECESBOOK
22 >>
23 >> ...making these pointless =)
24 >
25 >
26 > I've run into at least one newspaper website (I forget which,
27 > it's occasionally used for links on Slashdot) which ends up trying to
28 > redirect me to a Facebook site even though the URL does not mention
29 > Facebook at all. There is other integration as well. See the first
30 > post in
31 > http://www.dslreports.com/forum/r26618459-Increasing-integration-of-facebook-into-many-web-sites
32 > I believe this may have been straightened out since then, but 13 months
33 > ago that post was correct. And then there's the "LIKE" button which
34 > shows up all over the web.
35 >
36 > The mere fact that you haven't manually typed in...
37 > http://www.facebook.com/blah_blah_blah does not mean you're not
38 > connecting to it.
39
40 But all that's above layer 3, since it's an HTTP redirect, or a page
41 transclusion which necessitates a new GET request. Michael's point
42 stands.
43
44 --
45 :wq

Replies

Subject Author
Re: [gentoo-user] IPTABLES syntax change? Walter Dnes <waltdnes@××××××××.org>
Report Message
Find on MARC Find on Google Groups