Differences between version 20 and predecessor to the previous major change of FirewallNotes.
Other diffs: Previous Revision, Previous Author, or view the Annotated Edit History
Newer page: | version 20 | Last edited on Monday, June 7, 2004 12:26:38 pm | by AristotlePagaltzis | Revert |
Older page: | version 16 | Last edited on Monday, August 11, 2003 1:13:52 pm | by CraigBox | Revert |
@@ -1,5 +1,5 @@
-__FireWall__ can either refer to a machine used to filter (usually IP) packets or the software used on that machine to provide packet filtering.
+__FireWall__ can either refer to a machine used to filter (usually [
IP]
) packets or the software used on that machine to provide packet filtering.
!!Before you read anything else, make sure you have read and understood HowFirewallingWorks.
If you need a decent iptables firewall for your Linux box, you probably want to give PerrysFirewallingScript a try.
@@ -55,8 +55,9 @@
* Having a default DENY or REJECT policy is a good idea
* But don't start with that rule if you're working remotely
* DENY might sound nice, but it means people can spoof packets from your computer, and your computer won't abort the connection. a rate limited (using -m limit) REJECT is much much safer.
* You probably want to rate limit log messages too otherwise a good portscan can flood syslogd(8) for ages.
+* If you are having problems using -m owner with iptables 1.2.6a and kernel 2.4.x try [IptablesNotes]
!Pinholing
If you have a firewall running iptables, chances are you'll want to forward a port at some point (to run a P2P app, a game server etc). Experiment with this command line:
@@ -68,12 +69,18 @@
You might want to read [HowToIPCHAINSHOWTO], [HowToBridgeFirewall], [HowToBridgeFirewallDSL], [HowToFirewallHOWTO], [HowToFirewallPiercing], [HowToSentryFirewallCDHOWTO] or [HowToTermFirewall]. (They're all really, REALLY old.)
-----
-Can't access the NZ Herald? (
http://www.nzherald.co.nz)
(or other sites).
+Can't access the [
NZ Herald |
http://www.nzherald.co.nz]?
(or other sites).
-Make sure you have Explicit Congestion Notification disabled (see the [ECN] page) and don't have any [TOS] (TermsOfService)
settings in your firewall script (iptables -t mangle -F PREROUTING might clean up any you have: don't try this without knowing what you are doing.)
+Make sure you have Explicit Congestion Notification disabled (see the [ECN] page) and don't have any TypeOfService
settings in your firewall script (__
iptables -t mangle -F PREROUTING__
might clean up any you have: don't try this without knowing what you are doing.)
Alternatively, you can go with the "Don't fix good science to work with a bad implementation", or manually add rules allowing access to the NZ Herald IPs.
+
+Also, it should be noted that some home routers don't seem to like ECNs either. If you're having problems accessing the internet with a home ADSL router, and tcpdump output is mentioning packets with SWE, try turning ECNs off as seen in the [ECN] page.
+
+-----
+
+Have a [NAT] firewall that only allows one person behind it to make a [VPN] connection at once? See [PPTPConnectionTracking]
----
Part of CategoryNetworking and CategorySecurity