Differences between version 18 and predecessor to the previous major change of FirewallNotes.
Other diffs: Previous Revision, Previous Author, or view the Annotated Edit History
| Newer page: | version 18 | Last edited on Wednesday, February 18, 2004 9:58:22 am | by NeilHoughton | Revert |
| Older page: | version 16 | Last edited on Monday, August 11, 2003 1:13:52 pm | by CraigBox | Revert |
@@ -55,8 +55,9 @@
* Having a default DENY or REJECT policy is a good idea
* But don't start with that rule if you're working remotely
* DENY might sound nice, but it means people can spoof packets from your computer, and your computer won't abort the connection. a rate limited (using -m limit) REJECT is much much safer.
* You probably want to rate limit log messages too otherwise a good portscan can flood syslogd(8) for ages.
+* If you are having problems using -m owner with iptables 1.2.6a and kernel 2.4.x try [IptablesNotes]
!Pinholing
If you have a firewall running iptables, chances are you'll want to forward a port at some point (to run a P2P app, a game server etc). Experiment with this command line:
@@ -73,7 +74,9 @@
Make sure you have Explicit Congestion Notification disabled (see the [ECN] page) and don't have any [TOS] (TermsOfService) settings in your firewall script (iptables -t mangle -F PREROUTING might clean up any you have: don't try this without knowing what you are doing.)
Alternatively, you can go with the "Don't fix good science to work with a bad implementation", or manually add rules allowing access to the NZ Herald IPs.
+
+Also, it should be noted that some home routers don't seem to like ECNs either. If you're having problems accessing the internet with a home ADSL router, and tcpdump output is mentioning packets with SWE, try turning ECNs off as seen in the [ECN] page.
----
Part of CategoryNetworking and CategorySecurity
