RE: Block martians with source address 127.0.0.1

• Previous message: Bjørn Rasmussen: "Re: OpenVPN?"
• Maybe in reply to: Bjørn Rasmussen: "RE: Block martians with source address 127.0.0.1"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: Thomas Corriher <thomas_corriher@earthlink.net>
Date: Fri, 04 Jun 2004 20:10:57 +0200

fre, 04.06.2004 kl. 15.50 skrev Thomas Corriher:
> I'm sure this thread will die soon, but it has given us
> pause to consider how complex network security is -- and the
> dangers of attempting to over-simply the details. I
> apologize for my careless mistakes, and appreciate the
> technical corrections.

No problem :-)

> My experience is with kernel chains,
> (not tables) so I would need to do some homework myself
> before upgrading to the ip-tables -- or refresh my memory if
> I made major changes to my existing chains. All of us must
> do our homework or face consequences.

Then you have something to look forward to. In fact, having invested
all that time to learn ipchains, should be payed back learning
iptables. Working with iptables is a breeze compared to ipchains, and
the difference is small, so it's easier to learn than you think. Since
it's easier to make mistakes in ipchains (stateless), iptables is more
secure, and you don't have to open ports above 1023.
>
> The thing about having a logging rule on a separate line may
> be possible with the tables, but being possible does not
> make it wise. Frankly, I think doing that is stupid. It
> inserts unnecessary complexity and potentially places the
> rules which apply to a specific packet in completely different
> locations; which naturally could cause serious unintended
> consequences. It is almost common sense that this sort of
> stuff ought to be grouped together.

In iptables "LOG" is a "non-terminating" (continues on next line)
target. You've to use to lines, since logging is not an option
anymore. Iptables is not based on ipchains, but almost completely
rewritten. The developers of iptables/netfilter decided to modularize
it. Developers can make new targets in the future, and the targets have
their own options. LOG is one (but standard) of these targets.

• Previous message: Bjørn Rasmussen: "Re: OpenVPN?"
• Maybe in reply to: Bjørn Rasmussen: "RE: Block martians with source address 127.0.0.1"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: what is the difference between ipchains & iptables ... >> Iptables is a replacement for ipchains implementing ... >> a lot of the features that ipchains missed. ... That is the most important new feature in iptables. ... most targets will abort ... (comp.os.linux.security) Re: what is the difference between ipchains & iptables ... >> the number of rules you use for ipchains. ... > switched to iptables because I needed statefull inspection. ... >> or design hundreds of special targets for different things so as to make ... > can filter outgoing packets on the senders UID. ... (comp.os.linux.security) Re: Prevent access to linux server when mac adress does not match ip adress ... Iptables has much more features than ipchain. ... Prior to the 2.2.x kernel, the firewall was controlled by "ipfwadm". ... introduced the IPCHAINS tool to control that. ... Often the upgrade is too big and bulky for the older ... (comp.os.linux.networking) Re: IPChains with RH 9? "Protocol not available" ... Yes, iptables is way more versatile than ipchains, and ipchains ... is no longer supported in the redhat kernel by default. ... is RH 9 stock kernel still support ipchains? ... (RedHat) Re: A Question On Ipchains Input Rules ... If RH72 allows using iptables instead of ipchains, ... return packets for any established connections, ... outbound SMTP sessions, you just allow outbound SMTP, and the ... (comp.os.linux.security)