Differences between version 24 and previous revision of FirewallNotes.
Other diffs: Previous Major Revision, Previous Author, or view the Annotated Edit History
Newer page: | version 24 | Last edited on Sunday, November 21, 2004 6:06:34 pm | by AristotlePagaltzis | Revert |
Older page: | version 21 | Last edited on Monday, October 25, 2004 1:38:55 pm | by AristotlePagaltzis | Revert |
@@ -65,8 +65,14 @@
* Having a default <tt>DENY</tt> or <tt>REJECT</tt> policy is a good idea. Don't start with that rule if you're working remotely, though...
* <tt>DENY</tt> might sound nice, but it means people can spoof packets from your computer, and your computer won't abort the connection. A rate limited <tt>REJECT</tt> (using <tt>-m limit</tt>) is much much safer.
* You probably want to rate limit log messages too. Otherwise a good portscan can flood syslogd(8) for ages.
* If you are having problems using <tt>-m owner</tt> with iptables 1.2.6a and [Kernel] 2.4.x see IptablesNotes
+* For those stupid places that don't support packet fragmentation (like some online banking sites a while back):
+ <verbatim>
+ iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
+ </verbatim>
+ Make sure it's the first thing in the <tt>FORWARD</tt> chain on your router, or in the <tt>OUTPUT</tt> chain if you use one of those hardware [DSL] router boxes.
+
!!! Pinholing
If you have a FireWall running iptables, chances are you'll want to forward a port at some point (to run a P2P app, a game server etc).