| |
| |
| |
|
Page: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
Comments:
<0> hi Libolt4
<1> yo Libolt4
<2> hey tavi, lion, etc
<3> Lion-O: im use to pf(ctl) not linux.
<4> Lion-O: only if it matches established,related IIRC (I used to have a diagram for all this, **** knows where it went)
<1> qdk: uh huh
<5> smsie: got it here - you want me to dcc?
<6> alo alo
<4> DaveHowe: if it's the ebtables one, no. That wasn't the one I was thinking of
<4> DaveHowe: similar to that, but for iptables alone
<5> smsie: oh, ok. its the completest one I know :)
<5> it covers iptables too, after all :)
<4> DaveHowe: the ebtables on might have the info anyway...dcc it over, may as wll look :)
<1> hmm, the problem with things going mainstream (IMO) is that you lose a lot of fun. Its amazing how fast the solaris forums have moved from very educational technical problems to your average crapola (caused by failing to read the manual). Less than I year I think.
<4> DaveHowe: ta, printing it out
<3> smsie: no drop in INPUT chain
<1> qdk: and REJECT ? :P
<4> qdk: paste the chains somewhere, let's have a look
<3> Lion-O: neither.
<3> smsie: ok, hmm... how to *bip* do i get that huge list from the fw to a browser...
<4> DaveHowe: bloody useful it was at the time (especially after you'd explained it to me :)
<1> qdk: so I take it your default policy is to drop stuff?
<4> qdk: iptables -L > somefile; get the file to a machine with a text editor, copy and paste from there
<3> Lion-O: it normally is, but not atm... due to debugging.
<1> qdk: because that in itself might also affect the things you do (you still haven't answered my question about the host(s)). Best policy is not to use a default policy.
<1> qdk: and if your default FORWARDING policy is set to DROP then you haven't bothered to check the HOWTO's.
<3> Lion-O: host question? i think i missed that.
<1> qdk: if your problems applied to the hosts on your LAN or the host on which you're trying to setup iptables.
<3> Lion-O: the hosts on my LAN (internal) interface... not on the firewall itself... which is why it works with a proxy on the firewall.
<4> Lion-O: umm...my default FORWARD polisy is DROP, and that's generally the right way. It's what's recommended by the HOWTO even IIRC
<3> Lion-O: default policies are unimportant if i set a forwarding rule, which i have.
<1> smsie: not in my book. It will interfere with a lot of options.
<1> smsie: the suggested approach is always to keep your default policy to ACCEPT, especially on the FORWARD chain since bad things can happen otherwise. I'd look it up, but heck :P
<4> http://www.tldp.org/HOWTO/IP-Masquerade-HOWTO/firewall-examples.html#RC.FIREWALL-IPTABLES
<4> the example script there even has it set to DROP
<1> smsie: I'd stick to the official documentation.
<1> in this case I wouldn't rely on those howto's, get the stuff from iptables.org.
<4> Lion-O: I've been following this way for around 7 years now, it's always worked :)
<7> smsie: I've had problems with -P DROP
<1> smsie: well, thats good for you.
<1> oh, what the heck. gimme a moment then.
<7> Nothing an end rule of -j DROP doesn't fix ")
<4> PolarWolf: hehe
<3> hmm... guess pastebin.com has its limits. :-(
<4> qdk: just DCC me the file
<8> heh
<9> ahhhh, that was a very un-interesting lunch
<3> smsie: ok
<4> qdk: your DCC send, she be ****ed:
<4> 17:44 [amsterdam] DCC SEND from qdk [0.0.0.199 port 0]: iptables_complete.log [115kB]
<4> that's *not* your IP
<4> your ruleset if 115kb?
<4> that seems....excessive
<3> iptables -L is
<4> yaffle:~# iptables -L | wc -c
<4> 3577
<4> 115kb is a ****ing *huge* ruleset
<3> yes, and a very lame setup, but im not allowed to fixe it (yet).
<3> smsie: ill just cut off all the redundante stuff
<4> almsot like a redhat automatic firewall thing
<3> smsie: it is a sad fedora installation
<4> qdk: ah, that might explain it then
<4> the one time I looked at the redhat firewall tool, it was RH9 (IIRC), and it exlicitly allows every port you're going to allow, then explicity denies every OTHER port, individiually. It's a ****ing nightmare
<3> smsie: yes, but it doesnt explain the sudden drop stateful traffic.
<4> the poor poor packets that have to traverse any distance thoruhg it...must take forever
<4> qdk: no, it doesn't, which is why I wanted to look at your ruleset
<3> smsie: oh, its not THAT lame... its just a job for ipset or similar.
<4> qdk: If I had to guess though, I'd say that the very fact your ruleset is 115kb shows that you need to redesign it
<1> Well, so far I came up with RHEL sets which all utilize the "drop by rule" option, seems iptables.org hasn't got a search option and I don't feel like wasting my time skimming through the tutorials.
<1> http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/security-guide/ch-fw.html
<3> smsie: working on that pastebin link
<1> to give but a quick (non-spoonfeeding) hint.
<3> smsie: yes, i plan to.
<1> 130kb for firewall rules? ROFL, and people said I had an extensive firewall, thats frickin' nuts.
<4> fred's firewall ruleset is 92kb
<4> that's a firewall with 3 racks full of servers behind it though
<3> smsie: http://pastebin.com/568806
<4> qdk: ******. Who *wrote* this thing?
<3> smsie: some noob who started as a trainee... and i guess never got any better.
<4> qdk: add a rule to RETURN established,related to the SesCheck chain, see if that helps
<4> qdk: seriously man, you NEED to redesign that ****...it's a support nightmare
<1> that is probably the sole reason he's here anyway.
<3> smsie: yes, but im not allowed yet... but thats the general idea.
<4> qdk: and you need the established,related rule to be the FIRST rule in the forward chain, not the last
<1> qdk: that is the most stupid excuse I've heard. Weren't you suppose to fix the problems it has?
<3> smsie: k
<1> qdk: fix it by starting a redesign. Fixing implies a redesign in this case.
<4> well, at least the first rule before any other rule which isn't ACCEPT
<1> I bet that if you clean this mess up your "problem" will disappear on its own.
<3> Lion-O: no, because it works on 5 other locations, but i cant see any difference, and some of the traffic goes through correctly (seen with tcpdump).
<10> that's why I love debian's shorewall 8)
<1> qdk: so you shouldn't be looking at the rules then.
<4> qdk: a setup like that, it might work for a year and then decide to stop working every second friday for no real reason. It's spachetti
<1> funny how you bring up these rather important issues AFTER people spend a lot of time on it.
<3> Lion-O: yes, but i have to recompile the kernel for new modules and switch to something like ipset and stuff like IMQ.
<1> OM!
<11> Hi, I have a problem with libz. I've installed a newer version and now I get many "invalid elf header". I can't even restore the old version with rpm because rpm won't run (inavlid elf header). Is someone could help me with this ?
<12> re
<3> Lion-O: i STARTED my question describing the problem quit precise.
<1> BxN: what distribution are you using ?
<11> linux fedora core 3. Is there a way to restore the old libz (zlib) package from the cd-rom without formating ?
<11> (and without using rpm, because rpm doesn't work)
<3> smsie: yes, that where i come in, but im not allowed to redesign yet, due to the fact that im openbsd/pf firewalldude and the download time on the firewall is no more an issue, due to mad customers.
<1> BxN: Sure. using rpm from a rescue disk.
<12> BxN: boot from cd in rescue mode and overwite the file firectly
<12> Lion-O: i doubt if you can use rpm from the rescue disk -- if you chroot you'll have to ocntend with the new libz again
<11> ok... I'll try that, give me a couple of minutes...
<12> unless there's some way to run rpm off the cd but make it install on the HDD
<12> is there?
<1> OldMonk: iirc you can.
<1> OldMonk: most package managers support those features now. If Solaris can do it, so can RH.
<4> OldMonk: rpm --root /path/to/wherever
<12> smsie: ah!
<4> OldMonk: but that runs any postinst in a chrooted environment IIRC
<1> qdk: apart from this little fact ofcourse.
<4> HAHA
<4> google have a new director
<4> Dr Brilliant
<1> smsie: lol
<4> I hope he looks like Dr Evil
<13> Fark
<13> i forgot to do some **** again
<14> can anybod help me make an BNC ?
<14> plzzzzzzzzzz
<1> MrCiupaciups: get lost
<9> MrCiupaciups: no, go away
<13> MrCiupaciups: BNC grows on trees... go and pick one up
<1> everyone is using UTP now these days anyway.
<14> waw ! it's soo funny!
<14> :\
<9> what? I still have coax strung everywhere.
<1> it bounces too
<9> then of course you can be synapsis and using tin cans and strings
<1> schitzo: you're cheating
<9> Lion-O: only because no one else is playing with me.
<3> smsie: the return rule in the SecCheck chain is a bad ide, because it will ruine the idea of exactly that chain. :-D
<1> schitzo: no matter, you get foul point :P
<3> smsie: but i guess the problem is a missing state rule in the FORWARD chain.
<9> Lion-O: meh
<4> qdk: no, it won't. Stuff is sent there no matter what. If established,related isn't allowed through it, then it won't get through anywhere
<1> oops, sowwy
<15> Don't be jealous of my string bandwidth.
<13> * BxN has quit (Killed (*.undernet.org (overruled by older nick)))
<13> what does this mean?
<1> Bjprn-: just that. The servers splitted and there was a "BxN" on both of them when they reconnected. And then only 1 can survive
Return to
#linux
or
Go to some related
logs:
insuq
#teens
#MissKitten
#linux
howto htaccess apache 2.2.0
narkoleptic undernet
#linux
#c++
vipermovies.com
haygana
|
|