| |
| |
| |
|
Comments:
<0> are there any plans to support DNAT BALANCE in a differnt manner than RR ?
<0> can I log somwhow what netfilter does? I know how to log with -j LOG, but thats an extra rule .. I would like to log _what_ a rules match matched does ....
<1> does netfilter stop evaluating a rule as soon as any part of the rule fails to match?
<2> ryan`, exemple ?
<2> which rule you have in mind
<2> too late, I have to go
<3> ryan`: yes, it evaluates module by module; if one module returns false it will not check the rest
<1> is the order they are supplied to iptables actualy used?
<3> (at least I'm fairly sure that's how it is done from using -m recent)
<3> yes
<1> ok
<1> thanks :)
<1> what about -s/-d/-i/-o?
<3> I'm guessing those are checked first
<4> My home network has a bridging firewall to the outside world. I have incoming ssh blocked except for a few known source IPs. Now however I would like to allow my laptop incoming ssh access based only on its MAC address, because it could have almost any IP address. I tried adding a rule with --mac-source but this doesn't work the way I expect. Are there any good examples available of how to do this?
<3> it's impossible. MAC addresses are only valid on the link level, they are not propagated across the internet
<4> Hmm OK, too bad. I'm not real keen on opening up my ssh to everywhere because I get constantly hammered with cracking attempts.
<3> use port knocking or an alternate SSH port
<4> I was thinking of using an alternate ssh port, don't know what port knocking is.
<3> port knocking is when you connect to, say port 12345, then the firewall opens up port 22 to that IP for a few minutes
<4> ah, OK. Just found that there is a portknocking.org.
<3> you don't need a daemon; iptables can to it using the recent module
<3> I have an example http://daniel.6dns.org/info/iptables/#recent
<4> Good, thanks. I am studying your example.
<5> greetings
<5> why does --syn expand to flags:FIN,SYN,RST,ACK/SYN in iptables -vL ?
<5> instead of only SYN, ACK/SYN
<3> if you are allowing SYN packets, only alowing FIN,SYN,RST,ACK/SYN is better than allowing SYN,ACK/SYN
<5> um... I am trying to understand why :) is there good reading on this?
<3> well, a packet that would match the SYN,ACK/SYN but not the FIN,SYN,RST,ACK/SYN would be either SYN,FIN or SYN,RST, both of which are invalid
<5> hm... maybe I am reading it wrong, does FIN,SYN,RST,ACK/SYN mean FIN bit only || SYN bit only || RST bit only || (ACK && SYN) ?
<3> no, it means that from the bitmask FIN,SYN,RST,ACK that only SYN is set
<5> ah...
<5> right there in iptables(8), stupid me
<5> thanks
Return to
#netfilter
or
Go to some related
logs:
#linux
#mysql
shoutcast server CURRENTSONG
lexmark x75 shit
aplay 547
#mysql
dapper essential-codecs
ubuntu wpe config
#bash
#python
|
|