Search This Blog

Thursday, October 25, 2007

Re: Default Policy = DROP. Help-me

On 2007-10-25 Yuri Rodrigues wrote:
> I made all the changes that achieve by following their advice!

You still set the policies before loading the modules (particularly
iptable_filter, iptable_nat and iptable_mangle). This will fail unless
you already preloaded the modules (in which case there's no need to load
the modules again).

[...]
> As for the rule Ping Limit, really does not protect against
> Ping-of-Death, but it does not protect against some sort of Buffer
> OverFlow?

No. It merely limits ICMP traffic to 1 packet per second (which is
awfully low).

> Can I pass a rule that actually protects against Ping-of-Death?

Block all echo-request. However, I would not recommend that, because
it's a) breaking IP and b) totally unnecessary. No halfway recent
operating system is vulnerable to Ping-of-Death anymore.

> I can not leave the firewall functional only for putting NEW
> connections. Can you help me? I tried to leave with [-m state -- state
> NEW] and the firewall fails. Could not do this work.

You need to add an ESTABLISHED,RELATED rule to OUTPUT and FORWARD chain
as well. Forgot to mention that before, sorry.

Regards
Ansgar Wiechers
--
"The Mac OS X kernel should never panic because, when it does, it
seriously inconveniences the user."
--http://developer.apple.com/technotes/tn2004/tn2118.html


--
To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

No comments: