| |
| |
| |
|
Page: 1 2
Comments:
<0> hello
<1> hi
<0> I still keep getting the following entry in my firewall log
<0> IN=eth0 out= mac=ff:ff:ff:ff:ff:ff:00"04:23:5f:35:
<0> and so on
<0> the src=0.0.0.0
<0> the des=255.255.255.255
<0> the proto is udp
<2> sounds like DHCP
<0> what is the rule I need to use to stop it appear in the firewall log
<0> the rule I am using now is
<2> just do something with it before logging
<0> iptables -A udp_packets -p UDP -i eth0 d 255.255.255.255 --destination-port 67:68 -j DROP
<0> and look like it doesn't do the job
<0> is there something wrong with my rule ?
<2> where's the logging rule? after this?
<2> (btw, this would be more ontopic in #iptables)
<0> sorry I am new to the netfilter and iptables so can you tell me
<0> how can I find out what is the following rule
<0> the line after that in the rc.iptables ?
<0> sorry
<0> I am back
<0> so how do I find out the next rule
<0> just the following line ?
<2> Only if that next line also starts with -A udp_packets
<2> otherwise you need to actually trace the packets
<0> it is
<2> and that next rule is the LOG rule?
<0> sorry no it is -A
<0> but not to udp_packets
<2> ah. then you'll need to trace the packets through the firewall
<0> how
<0> BTW I can not see this rule in iptables -L
<0> why?
<2> you haven't committed it yet
<0> but this rule already in my rc.itpables for 3 days now
<2> so? have you rebooted since then?
<0> and I have reboot my box
<0> and I just do a search in my rc.iptables
<2> ok, several ways to trace packets. Recomplie your kernel with the TRACE target, or use a program I wrote to trace the iptables-save file
<0> that rule is the last -A udp_packets entry in my rc.iptables
<0> let me check
<0> I think I already have TRACE target compile in
<2> ok. can you pastebin the output of iptables-save?
<0> sorry no I am on different box
<0> what the config name for TRACE target ?
<2> it requires a kernel patch
<2> it's probably too much bother to get working just for this
<0> my kernel is 2.6.11.12
<0> does it still require that patch ?
<2> yes. I think it's never going to be applied to a mainstream kernel
<2> it requires a kernel and iptables binary recompile
<0> ok
<2> it's really much easier to just trace the packets manually
<0> just run iptables-save
<2> yes
<0> and should I see upd_packets in my result at all ?
<2> yes, it should be there somewhere
<0> ok
<0> maybe there is something wrong with my rc.iptables
<0> I will have a look and get back to you
<3> i have inet --> [router 192.168.0.1] --> [ 192.168.0.102 eth0 linux server eth 1 192.168.1.1] --> [192.168.1.2 labtop ] from the laptop i can connect to the linux server 192.168.1.1 and i can ping 192.168.0.102, but i could not ping 192.168.0.1 .. does anybody know why iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE and echo 1 > /proc/sys/net/ipv4/ip_forward
<3> can someone help me with that .. iam not able to ping the router
<4> what does your FORWARD chain look like ?
<3> Chain FORWARD (policy DROP)
<3> target prot opt source destination
<3> drop ???
<4> ok, so you'll need to add ACCEPT rules to allow forwarding between eth0 and eth1
<3> that fixed
<3> thx
<3> which is good book to read about routing
<3> i am really confused about the different subnets and stuff
<5> There are some HOWTOs online which might help. Rusty's Networking Concepts HOWTO and the old NET-3.HOWTO.
<5> A dead tree book might be a good idea too, but I wouldn't know what to recommend.
<5> I just kind of picked it up by doing. Playing with user-mode Linux and openvpn can teach you a lot about routing.
<6> gug
<7> gug
<8> gug :)
<1> gugr
<3> does anybody know any free cisco iso simulation??
<9> gug
<10> hi
<9> another day stuffed with gpl-enforcement work
<8> LaF0rge: hi
<8> LaF0rge: we still need to talk about ct_sync changes resp. rusty-NAT
<8> Regit: hi
<10> I've got something strange with nufw (seems to be related with ip_queue or nfnetlink)
<10> nufw 1304 root 178u sock 0,4 544834 can't identify protocol
<10> The problem is that this sort of opened socket
<10> get huge over the time
<10> I reach 1024 on a install
<10> and grsecurity has blocked the soft
<7> Regit: the sockets are left behind somehow?
<11> good afternoon
<10> Gandalf_: yes, but I've just found i've get fooled by ulogd showing the same message, in fact it is linked with gnutls
<10> Gandalf_: thanks anyway !
<11> would anyone know if there's a way i can extract all the URL's of http gets through netfilter? or other hack?
<11> ulog -> perl ?
<12> yes looks like an option, using IPTables::IPv4::IPQueue
<12> couldn't you also use a transparent proxy and existing logging mechanism ?
<11> i probably could
<11> but i'm looking for the simplest of setups, and the least demanding ...
<11> i like google desktop's web history thing ...
<11> but google scares me ...
<11> i'd liek to write something like it ...
<11> get all url's ...
<11> and index the ones that return text
<11> the 'proxy' would be running on a wrt54g ...
<11> so keeping the load to a minimum would be nice
<7> there's a small sniffer called 'urlsnarf' iirc
<11> oh! sweet!
<7> you could probably do it with 'ngrep' as well
<7> or a plugin for ulogd
<11> hehe, as you can see, i thought of ulog first ... but perhaps that's a little complicated considering nsnarf
<11> er, urlsnar
<11> f
<7> urlsnarf is part of the dsniff package
<7> ipkg install dsniff
<11> what, directly on openwrt? sweet!
<7> yes
<7> just checked my white russian rc4 install and it's part of the default repository
<11> dude, thank you. you saved me many frustrating hours
<7> no problem
<11> all i've got left to do is learn how to index the web!
<7> the index is called 'google' :)
<11> bwah
<11> i can do better :P
<13> is there anyone who can take a quick look at my firewall rules? I want to allow SSH and HTTP from selected hosts. http://sial.org/pbot/15893
<13> guess not, then
<13> can anyone recommend a simple utility to build the firewall rules?
<5> DartmanX2, what is the problem?
<5> what are the policies?
<13> rob0: I was just looking for a "looks good". Basically, I want to allow SSH and HTTP from set hosts
<13> Ive been out of the linux world for 3 years until I set up a mytv box last night, but I need to firewall port 80 so every idiot on the net can't schedule a recording
<5> The 127.0.0.1 rules are superfluous, but sure, it looks okay.
<13> ok, thanks
<5> The OUTPUT rule is also useless if you're using ACCEPT as a policy
<13> now I'm trying to remember which script in debian to modify to get the firewall to run automagically on boot
<13> it's been awhile
<5> Filtering by interface is generally stronger than by IP address, where possible.
<13> i dont know if interface will work or not. I need to lock it down to my address at work and selected addresses at home
<5> 192.168.1.0/24 is on a local segment, what about external?
<13> external is the 139.xxx segment (not the real address there)
<13> but, --dport isn't working
<13> is there a different way now to specify the port to filter on?
<2> that's what --dport is for
<2> make sure you flush any current rules before applying new ones
<13> ptables ?A INPUT ?m state ?state RELATED, ESTABLISHED ?j ACCEPT
<13> iptables -A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
<13> iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
<13>
Return to
#netfilter
or
Go to some related
logs:
in xserver nv is nvidea
DeckOfCards pygame
mysql not null mean
gnome-sound-recorder FC5
gam_serve disable
#perl
could not init font path element, xubuntu
ubuntu enter special characters
openldap 2.3 ppolicy howto
raidtab mdadm.conf gentoo
|
|