Proofreading

Proofreading

[Erik Wikström]

[-- Attachment #1: Type: text/plain, Size: 993 bytes --]

Hi

If you happen to feel like you've got nothing better to do or if you'd
like to help me out (and maybe get rid of me :) then I'd appreciate any
coments and suggestions to my script.

My goals with the script is as follows:
+ To allow the route to get an IP via DHCP for the WAN
+ To allow local hosts to get an IP from the router
+ To allow the router to comunicate with DNS-servers
+ To allow the router to connect to HTTP-servers
+ To allow the router to conect to FTP-servers
+ To allow SSH to the router from LAN on port 22
+ To allow SSH to the router from WAN on port 2070
+ Forward SSH from WAN to a computer on LAN
+ Forward a number of other ports/services to another computer on LAN
+ Allow access to WAN from LAN
And of cource maintain some level of security.

I've blocked NetBIOS-packages from leaving the LAN, is there any other
things that I should block? The LAN consists of both Windows and Linux
computers.

Thanks in advance.

--
Erik Wikström

[-- Attachment #2: rc.iptables --]
[-- Type: text/plain, Size: 4687 bytes --]

#!/usr/bin/bash

# --------------------
# |    Initialize    |
# --------------------

# Variables
IPT="/usr/sbin/iptables"
WAN="eth0"
LAN="eth1"
LOCAL_NET="192.168.10.0/24"

# Computers
Yorthen="192.168.10.2"
Ohm="192.168.10.10"

# Clear all rules and set policies
for table in filter mangle nat ; do
	$IPT -t $table -F # Flush all rules
	$IPT -t $table -X # Remove all non-builtin chains
	$IPT -t $table -Z # Reset all counters

	# Set policies
	for chain in FORWARD INPUT OUTPUT PREROUTING POSTROUTING ; do
		if [ $table == "filter" ] ; then
			$IPT -t $table -P $chain DROP # Default to filter out all packages
		else
			$IPT -t $table -P $chain ACCEPT
		fi
	done
done

# Add custom chains
$IPT -t filter -N bad_packets



# ---------------------
# |    bad_packets    |
# ---------------------

# Drop INVALID and other bad packets
$IPT -t filter -A bad_packets -m state --state INVALID -j DROP
$IPT -t filter -A bad_packets -p TCP --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j DROP
$IPT -t filter -A bad_packets -p TCP ! --syn -m state --state NEW -j DROP
# Drop spoofed addresses
$IPT -t filter -A bad_packets -i $WAN -s 192.168.0.0/16  -j DROP
$IPT -t filter -A bad_packets -s 172.16.0.0/12 -j DROP
$IPT -t filter -A bad_packets -s 127.0.0.0/8 -j DROP
$IPT -t filter -A bad_packets -i $LAN -s ! $LOCAL_NET -j DROP



# --------------
# |    LYRA    |
# --------------

# Allow already established connections
$IPT -t filter -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow traffic on loopback interface
$IPT -t filter -A INPUT -i lo -j ACCEPT
$IPT -t filter -A OUTPUT -o lo -j ACCEPT
# Drop bad_packages
$IPT -t filter -A INPUT -j bad_packets
# Allow firewall to get WAN-IP from DHCP
$IPT -t filter -A OUTPUT -o $WAN -p UDP --dport 67 --sport 68 -j ACCEPT
$IPT -t filter -A INPUT -i $WAN -p UDP --sport 67 --dport 68 -j ACCEPT
# Allow computers on LAN to get IP from DHCP
$IPT -t filter -A INPUT -i $LAN -p UDP --dport 67 --sport 68 -j ACCEPT
$IPT -t filter -A OUTPUT -o $LAN -p UDP --sport 67 --dport 68 -j ACCEPT
# Allow SSH-connections from both LAN and WAN
$IPT -t filter -A INPUT -i $LAN -p TCP --syn -s $LOCAL_NET --dport 22 -j ACCEPT
$IPT -t filter -A INPUT -i $WAN -p TCP --syn --dport 2070 -j ACCEPT
# Allow DNS-requests
$IPT -t filter -A OUTPUT -o $WAN -p UDP --dport 53 -j ACCEPT
# Allow HTTP-requests
$IPT -t filter -A OUTPUT -o $WAN -p TCP --dport 80 -j ACCEPT
# Allow FTP-requests
$IPT -t filter -A OUTPUT -o $WAN -p TCP --dport 21 -j ACCEPT
# Allow SSH to LAN
$IPT -t filter -A OUTPUT -o $LAN -d $LOCAL_NET -p TCP --dport 22 -j ACCEPT
# Reject Ident-requests
$IPT -t filter -A INPUT -i $WAN -p TCP --dport 113 -j REJECT --reject-with tcp-reset



# -------------------
# |    LOCAL_NET    |
# -------------------

# Allow already established connections through
$IPT -t filter -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# Drop bad_packages
$IPT -t filter -A FORWARD -j bad_packets
# Drop SMB-packages
$IPT -t filter -A FORWARD -p TCP --sport 137:139 -j DROP
$IPT -t filter -A FORWARD -p UDP --sport 137:139 -j DROP
$IPT -t filter -A FORWARD -p TCP --sport 445 -j DROP
$IPT -t filter -A FORWARD -p UDP --sport 445 -j DROP
# Allow traffic from LAN to WAN
$IPT -t filter -A FORWARD -i $LAN -o $WAN -s $LOCAL_NET -j ACCEPT
$IPT -t nat -A POSTROUTING -o $WAN -s $LOCAL_NET -j MASQUERADE
# Forward SSH to Ohm
$IPT -t nat -A PREROUTING -i $WAN -p TCP --syn --dport 22 -j DNAT --to $Ohm
$IPT -t filter -A FORWARD -i $WAN -d $Ohm -p TCP --dport 22 -j ACCEPT
# Forward DC++ to Yorthen
$IPT -t nat -A PREROUTING -i $WAN -p TCP --syn --dport 1436 -j DNAT --to $Yorthen
$IPT -t filter -A FORWARD -i $WAN -d $Yorthen -p TCP --dport 1436 -j ACCEPT
$IPT -t nat -A PREROUTING -i $WAN -p UDP --dport 1436 -j DNAT --to $Yorthen
$IPT -t filter -A FORWARD -i $WAN -d $Yorthen -p UDP --dport 1436 -j ACCEPT
# Forward FTP to Yorthen
$IPT -t nat -A PREROUTING -i $WAN -p TCP --syn --dport 1045:1050 -j DNAT --to $Yorthen
$IPT -t filter -A FORWARD -i $WAN -d $Yorthen -p TCP --dport 1045:1050 -j ACCEPT
$IPT -t nat -A PREROUTING -i $WAN -p TCP --syn --dport 2069 -j DNAT --to $Yorthen
$IPT -t filter -A FORWARD -i $WAN -d $Yorthen -p TCP --dport 2069 -j ACCEPT
# Forward DCC to Yothen
$IPT -t nat -A PREROUTING -i $WAN -p TCP --syn --dport 59 -j DNAT --to $Yorthen
$IPT -t filter -A FORWARD -i $WAN -d $Yorthen -p TCP --dport 59 -j ACCEPT



# ----------------
# |    SYSCTL    |
# ----------------
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
echo "1" > /proc&sys/net/ipv4/conf/eth0/rp_filter
echo "1" > /proc/sys/net/ipv4/conf/eth1/rp_filter

RE: Proofreading

[Hudson Delbert J Contr 61 CS/SCBN]

X...ports 6k --> at least 6100
rpc...
nfs

shall i go on.


####################################
# delbert.hudson@losangeles.af.mil #
#        61cs/scbn, 3-0182         #
####################################


-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Erik Wikström
Sent: Tuesday, July 13, 2004 3:40 PM
To: netfilter@lists.netfilter.org
Subject: Proofreading


Hi

If you happen to feel like you've got nothing better to do or if you'd
like to help me out (and maybe get rid of me :) then I'd appreciate any
coments and suggestions to my script.

My goals with the script is as follows:
+ To allow the route to get an IP via DHCP for the WAN
+ To allow local hosts to get an IP from the router
+ To allow the router to comunicate with DNS-servers
+ To allow the router to connect to HTTP-servers
+ To allow the router to conect to FTP-servers
+ To allow SSH to the router from LAN on port 22
+ To allow SSH to the router from WAN on port 2070
+ Forward SSH from WAN to a computer on LAN
+ Forward a number of other ports/services to another computer on LAN
+ Allow access to WAN from LAN
And of cource maintain some level of security.

I've blocked NetBIOS-packages from leaving the LAN, is there any other
things that I should block? The LAN consists of both Windows and Linux
computers.

Thanks in advance.

--
Erik Wikström

Re: Proofreading

[Erik Wikström]

On Tue, Jul 13, 2004 at 04:19:57PM -0700, Hudson Delbert J Contr 61 CS/SCBN wrote:

> X...ports 6k --> at least 6100
> rpc...
> nfs
> 
> shall i go on.

Please do.

--
Erik Wikström

Re: Proofreading

[Antony Stone]

On Wednesday 14 July 2004 1:00 pm, Erik Wikström wrote:

> On Tue, Jul 13, 2004 at 04:19:57PM -0700, Hudson Delbert J Contr 61 CS/SCBN 
wrote:
> > X...ports 6k --> at least 6100
> > rpc...
> > nfs
> >
> > shall i go on.
>
> Please do.

I don't quite understand this.   Perhaps Hudson has not noticed the default 
DROP policy in Erik's ruleset?

Regards,

Antony.

-- 
"I estimate there's a world market for about five computers."

 - Thomas J Watson, Chairman of IBM

                                                     Please reply to the list;
                                                           please don't CC me.

RE: Proofreading

[Hudson Delbert J Contr 61 CS/SCBN]

where is the ruleset. never saw it in any message traffic.

####################################
# delbert.hudson@losangeles.af.mil #
#        61cs/scbn, 3-0182         #
####################################


-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Antony Stone
Sent: Wednesday, July 14, 2004 5:13 AM
To: netfilter
Subject: Re: Proofreading


On Wednesday 14 July 2004 1:00 pm, Erik Wikström wrote:

> On Tue, Jul 13, 2004 at 04:19:57PM -0700, Hudson Delbert J Contr 61
CS/SCBN 
wrote:
> > X...ports 6k --> at least 6100
> > rpc...
> > nfs
> >
> > shall i go on.
>
> Please do.

I don't quite understand this.   Perhaps Hudson has not noticed the default 
DROP policy in Erik's ruleset?

Regards,

Antony.

-- 
"I estimate there's a world market for about five computers."

 - Thomas J Watson, Chairman of IBM

                                                     Please reply to the
list;
                                                           please don't CC
me.

Re: Proofreading

[Antony Stone]

[-- Attachment #1: Type: text/plain, Size: 1489 bytes --]

On Wednesday 14 July 2004 5:10 pm, Hudson Delbert J Contr 61 CS/SCBN wrote:

> where is the ruleset. never saw it in any message traffic.

It was attached to the original request for people to proofread it (if you 
didn't see the script, what did you proofread!?).   4.6k textfile called 
rc.iptables

I've attached it again to this email so you can see it (I hope others on the 
list don't mind the duplicate posting - it's not a very long script...)

Regards,

Antony.

> -----Original Message-----
> From: netfilter-admin@lists.netfilter.org
> [mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Antony Stone
> Sent: Wednesday, July 14, 2004 5:13 AM
> To: netfilter
> Subject: Re: Proofreading
>
> On Wednesday 14 July 2004 1:00 pm, Erik Wikström wrote:
> > On Tue, Jul 13, 2004 at 04:19:57PM -0700, Hudson Delbert J Contr 61
>
> CS/SCBN
>
> wrote:
> > > X...ports 6k --> at least 6100
> > > rpc...
> > > nfs
> > >
> > > shall i go on.
> >
> > Please do.
>
> I don't quite understand this.   Perhaps Hudson has not noticed the default
> DROP policy in Erik's ruleset?
>
> Regards,
>
> Antony.

-- 
I don't know, maybe if we all waited then cosmic rays would write all our 
software for us. Of course it might take a while.

 - Ron Minnich, Los Alamos National Laboratory

                                                     Please reply to the list;
                                                           please don't CC me.

[-- Attachment #2: rc.iptables --]
[-- Type: text/plain, Size: 4687 bytes --]

#!/usr/bin/bash

# --------------------
# |    Initialize    |
# --------------------

# Variables
IPT="/usr/sbin/iptables"
WAN="eth0"
LAN="eth1"
LOCAL_NET="192.168.10.0/24"

# Computers
Yorthen="192.168.10.2"
Ohm="192.168.10.10"

# Clear all rules and set policies
for table in filter mangle nat ; do
	$IPT -t $table -F # Flush all rules
	$IPT -t $table -X # Remove all non-builtin chains
	$IPT -t $table -Z # Reset all counters

	# Set policies
	for chain in FORWARD INPUT OUTPUT PREROUTING POSTROUTING ; do
		if [ $table == "filter" ] ; then
			$IPT -t $table -P $chain DROP # Default to filter out all packages
		else
			$IPT -t $table -P $chain ACCEPT
		fi
	done
done

# Add custom chains
$IPT -t filter -N bad_packets



# ---------------------
# |    bad_packets    |
# ---------------------

# Drop INVALID and other bad packets
$IPT -t filter -A bad_packets -m state --state INVALID -j DROP
$IPT -t filter -A bad_packets -p TCP --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j DROP
$IPT -t filter -A bad_packets -p TCP ! --syn -m state --state NEW -j DROP
# Drop spoofed addresses
$IPT -t filter -A bad_packets -i $WAN -s 192.168.0.0/16  -j DROP
$IPT -t filter -A bad_packets -s 172.16.0.0/12 -j DROP
$IPT -t filter -A bad_packets -s 127.0.0.0/8 -j DROP
$IPT -t filter -A bad_packets -i $LAN -s ! $LOCAL_NET -j DROP



# --------------
# |    LYRA    |
# --------------

# Allow already established connections
$IPT -t filter -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow traffic on loopback interface
$IPT -t filter -A INPUT -i lo -j ACCEPT
$IPT -t filter -A OUTPUT -o lo -j ACCEPT
# Drop bad_packages
$IPT -t filter -A INPUT -j bad_packets
# Allow firewall to get WAN-IP from DHCP
$IPT -t filter -A OUTPUT -o $WAN -p UDP --dport 67 --sport 68 -j ACCEPT
$IPT -t filter -A INPUT -i $WAN -p UDP --sport 67 --dport 68 -j ACCEPT
# Allow computers on LAN to get IP from DHCP
$IPT -t filter -A INPUT -i $LAN -p UDP --dport 67 --sport 68 -j ACCEPT
$IPT -t filter -A OUTPUT -o $LAN -p UDP --sport 67 --dport 68 -j ACCEPT
# Allow SSH-connections from both LAN and WAN
$IPT -t filter -A INPUT -i $LAN -p TCP --syn -s $LOCAL_NET --dport 22 -j ACCEPT
$IPT -t filter -A INPUT -i $WAN -p TCP --syn --dport 2070 -j ACCEPT
# Allow DNS-requests
$IPT -t filter -A OUTPUT -o $WAN -p UDP --dport 53 -j ACCEPT
# Allow HTTP-requests
$IPT -t filter -A OUTPUT -o $WAN -p TCP --dport 80 -j ACCEPT
# Allow FTP-requests
$IPT -t filter -A OUTPUT -o $WAN -p TCP --dport 21 -j ACCEPT
# Allow SSH to LAN
$IPT -t filter -A OUTPUT -o $LAN -d $LOCAL_NET -p TCP --dport 22 -j ACCEPT
# Reject Ident-requests
$IPT -t filter -A INPUT -i $WAN -p TCP --dport 113 -j REJECT --reject-with tcp-reset



# -------------------
# |    LOCAL_NET    |
# -------------------

# Allow already established connections through
$IPT -t filter -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# Drop bad_packages
$IPT -t filter -A FORWARD -j bad_packets
# Drop SMB-packages
$IPT -t filter -A FORWARD -p TCP --sport 137:139 -j DROP
$IPT -t filter -A FORWARD -p UDP --sport 137:139 -j DROP
$IPT -t filter -A FORWARD -p TCP --sport 445 -j DROP
$IPT -t filter -A FORWARD -p UDP --sport 445 -j DROP
# Allow traffic from LAN to WAN
$IPT -t filter -A FORWARD -i $LAN -o $WAN -s $LOCAL_NET -j ACCEPT
$IPT -t nat -A POSTROUTING -o $WAN -s $LOCAL_NET -j MASQUERADE
# Forward SSH to Ohm
$IPT -t nat -A PREROUTING -i $WAN -p TCP --syn --dport 22 -j DNAT --to $Ohm
$IPT -t filter -A FORWARD -i $WAN -d $Ohm -p TCP --dport 22 -j ACCEPT
# Forward DC++ to Yorthen
$IPT -t nat -A PREROUTING -i $WAN -p TCP --syn --dport 1436 -j DNAT --to $Yorthen
$IPT -t filter -A FORWARD -i $WAN -d $Yorthen -p TCP --dport 1436 -j ACCEPT
$IPT -t nat -A PREROUTING -i $WAN -p UDP --dport 1436 -j DNAT --to $Yorthen
$IPT -t filter -A FORWARD -i $WAN -d $Yorthen -p UDP --dport 1436 -j ACCEPT
# Forward FTP to Yorthen
$IPT -t nat -A PREROUTING -i $WAN -p TCP --syn --dport 1045:1050 -j DNAT --to $Yorthen
$IPT -t filter -A FORWARD -i $WAN -d $Yorthen -p TCP --dport 1045:1050 -j ACCEPT
$IPT -t nat -A PREROUTING -i $WAN -p TCP --syn --dport 2069 -j DNAT --to $Yorthen
$IPT -t filter -A FORWARD -i $WAN -d $Yorthen -p TCP --dport 2069 -j ACCEPT
# Forward DCC to Yothen
$IPT -t nat -A PREROUTING -i $WAN -p TCP --syn --dport 59 -j DNAT --to $Yorthen
$IPT -t filter -A FORWARD -i $WAN -d $Yorthen -p TCP --dport 59 -j ACCEPT



# ----------------
# |    SYSCTL    |
# ----------------
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
echo "1" > /proc&sys/net/ipv4/conf/eth0/rp_filter
echo "1" > /proc/sys/net/ipv4/conf/eth1/rp_filter

RE: Proofreading

[Hudson Delbert J Contr 61 CS/SCBN]

what are you talking about proofread...i didnt preface anything or put that
subject: there
so get your facts straight about who saw what on what thread...dont ass-u-me
you know what 
anybody may have read.

send it inline...our filters are VERY GOOD.....must of stripped'em.

-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Antony Stone
Sent: Wednesday, July 14, 2004 9:25 AM
To: 'netfilter'
Subject: Re: Proofreading


On Wednesday 14 July 2004 5:10 pm, Hudson Delbert J Contr 61 CS/SCBN wrote:

> where is the ruleset. never saw it in any message traffic.

It was attached to the original request for people to proofread it (if you 
didn't see the script, what did you proofread!?).   4.6k textfile called 
rc.iptables

I've attached it again to this email so you can see it (I hope others on the

list don't mind the duplicate posting - it's not a very long script...)

Regards,

Antony.

> -----Original Message-----
> From: netfilter-admin@lists.netfilter.org
> [mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Antony Stone
> Sent: Wednesday, July 14, 2004 5:13 AM
> To: netfilter
> Subject: Re: Proofreading
>
> On Wednesday 14 July 2004 1:00 pm, Erik Wikström wrote:
> > On Tue, Jul 13, 2004 at 04:19:57PM -0700, Hudson Delbert J Contr 61
>
> CS/SCBN
>
> wrote:
> > > X...ports 6k --> at least 6100
> > > rpc...
> > > nfs
> > >
> > > shall i go on.
> >
> > Please do.
>
> I don't quite understand this.   Perhaps Hudson has not noticed the
default
> DROP policy in Erik's ruleset?
>
> Regards,
>
> Antony.

-- 
I don't know, maybe if we all waited then cosmic rays would write all our 
software for us. Of course it might take a while.

 - Ron Minnich, Los Alamos National Laboratory

                                                     Please reply to the
list;
                                                           please don't CC
me.

Re: Proofreading

[Antony Stone]

On Wednesday 14 July 2004 5:48 pm, Hudson Delbert J Contr 61 CS/SCBN wrote:

> what are you talking about proofread...i didnt preface anything or put that
> subject: there

No, that was the subject on the original email requesting people to proofread 
the attached script.   I did not suggest that you had changed the subject - I 
was simply wondering what it was you had responded to (the request to 
proofread something) if you hadn't seen the script containing the ruleset.

> so get your facts straight about who saw what on what thread...dont
> ass-u-me you know what anybody may have read.

I am now well aware that you did not see the original script, since you said 
so in your last posting.   That is why I just attached it again in my last 
posting, so that you could see it this time.   The only assumption I made 
previously was that you saw the same email on the list as I did, which seems 
perfectly sensible to me, however I was quite happy to be corrected on this 
when you pointed it out.

> send it inline...our filters are VERY GOOD.....must of stripped'em.

Why do you describe filters which strip out something you would have benefited 
from seeing as "very good"?

I regard a false positive (security measures catching something 
inappropriately) as worse than a false negative (letting through something 
which should ideally have been caught).   At least in the latter case, there 
is an opportunity to catch it somewhere else in the system.   In the former 
case, you may never even get to know about it...

Oh, and by the way, please could you stop top-posting on this list?

Thanks,

Antony.

> -----Original Message-----
> From: netfilter-admin@lists.netfilter.org
> [mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Antony Stone
> Sent: Wednesday, July 14, 2004 9:25 AM
> To: 'netfilter'
> Subject: Re: Proofreading
>
> On Wednesday 14 July 2004 5:10 pm, Hudson Delbert J Contr 61 CS/SCBN wrote:
> > where is the ruleset. never saw it in any message traffic.
>
> It was attached to the original request for people to proofread it (if you
> didn't see the script, what did you proofread!?).   4.6k textfile called
> rc.iptables
>
> I've attached it again to this email so you can see it (I hope others on
> the
>
> list don't mind the duplicate posting - it's not a very long script...)
>
> Regards,
>
> Antony.
>
> > -----Original Message-----
> > From: netfilter-admin@lists.netfilter.org
> > [mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Antony Stone
> > Sent: Wednesday, July 14, 2004 5:13 AM
> > To: netfilter
> > Subject: Re: Proofreading
> >
> > On Wednesday 14 July 2004 1:00 pm, Erik Wikström wrote:
> > > On Tue, Jul 13, 2004 at 04:19:57PM -0700, Hudson Delbert J Contr 61
> >
> > CS/SCBN
> >
> > wrote:
> > > > X...ports 6k --> at least 6100
> > > > rpc...
> > > > nfs
> > > >
> > > > shall i go on.
> > >
> > > Please do.
> >
> > I don't quite understand this.   Perhaps Hudson has not noticed the
>
> default
>
> > DROP policy in Erik's ruleset?
> >
> > Regards,
> >
> > Antony.

-- 
Normal people think "If it ain't broke, don't fix it".
Engineers think "If it ain't broke, it doesn't have enough features yet".

                                                     Please reply to the list;
                                                           please don't CC me.

RE: Proofreading

[Hudson Delbert J Contr 61 CS/SCBN]

whose to say i would have benefitted.
actually i would have not derived any benefit as 
the info i passed along to erik was still relevant 
regardless.

enuf already....


-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Antony Stone
Sent: Wednesday, July 14, 2004 10:05 AM
To: 'netfilter'
Subject: Re: Proofreading


On Wednesday 14 July 2004 5:48 pm, Hudson Delbert J Contr 61 CS/SCBN wrote:

> what are you talking about proofread...i didnt preface anything or put
that
> subject: there

No, that was the subject on the original email requesting people to
proofread 
the attached script.   I did not suggest that you had changed the subject -
I 
was simply wondering what it was you had responded to (the request to 
proofread something) if you hadn't seen the script containing the ruleset.

> so get your facts straight about who saw what on what thread...dont
> ass-u-me you know what anybody may have read.

I am now well aware that you did not see the original script, since you said

so in your last posting.   That is why I just attached it again in my last 
posting, so that you could see it this time.   The only assumption I made 
previously was that you saw the same email on the list as I did, which seems

perfectly sensible to me, however I was quite happy to be corrected on this 
when you pointed it out.

> send it inline...our filters are VERY GOOD.....must of stripped'em.

Why do you describe filters which strip out something you would have
benefited 
from seeing as "very good"?

I regard a false positive (security measures catching something 
inappropriately) as worse than a false negative (letting through something 
which should ideally have been caught).   At least in the latter case, there

is an opportunity to catch it somewhere else in the system.   In the former 
case, you may never even get to know about it...

Oh, and by the way, please could you stop top-posting on this list?

Thanks,

Antony.

> -----Original Message-----
> From: netfilter-admin@lists.netfilter.org
> [mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Antony Stone
> Sent: Wednesday, July 14, 2004 9:25 AM
> To: 'netfilter'
> Subject: Re: Proofreading
>
> On Wednesday 14 July 2004 5:10 pm, Hudson Delbert J Contr 61 CS/SCBN
wrote:
> > where is the ruleset. never saw it in any message traffic.
>
> It was attached to the original request for people to proofread it (if you
> didn't see the script, what did you proofread!?).   4.6k textfile called
> rc.iptables
>
> I've attached it again to this email so you can see it (I hope others on
> the
>
> list don't mind the duplicate posting - it's not a very long script...)
>
> Regards,
>
> Antony.
>
> > -----Original Message-----
> > From: netfilter-admin@lists.netfilter.org
> > [mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Antony Stone
> > Sent: Wednesday, July 14, 2004 5:13 AM
> > To: netfilter
> > Subject: Re: Proofreading
> >
> > On Wednesday 14 July 2004 1:00 pm, Erik Wikström wrote:
> > > On Tue, Jul 13, 2004 at 04:19:57PM -0700, Hudson Delbert J Contr 61
> >
> > CS/SCBN
> >
> > wrote:
> > > > X...ports 6k --> at least 6100
> > > > rpc...
> > > > nfs
> > > >
> > > > shall i go on.
> > >
> > > Please do.
> >
> > I don't quite understand this.   Perhaps Hudson has not noticed the
>
> default
>
> > DROP policy in Erik's ruleset?
> >
> > Regards,
> >
> > Antony.

-- 
Normal people think "If it ain't broke, don't fix it".
Engineers think "If it ain't broke, it doesn't have enough features yet".

                                                     Please reply to the
list;
                                                           please don't CC
me.