Re: Starting a fw - /dev/rob0

All of lore.kernel.org
 help / color / mirror / Atom feed

From: /dev/rob0 <rob0@gmx.co.uk>
To: netfilter@lists.netfilter.org
Subject: Re: Starting a fw
Date: Fri, 08 Jul 2005 08:12:08 -0500	[thread overview]
Message-ID: <42CE7BA8.30704@gmx.co.uk> (raw)
In-Reply-To: <9927912d0507072234673f1aa0@mail.gmail.com>

Visham Ramsurrun wrote:
> I was once told that in order to start a firewall automatically when a
> machine boots, we must make sure that the init process calls the
> script by making a symbolic link to that file in the /etc/rc.d/rcX.d
> directories.

This is not an iptables / netfilter issue. Different distros do this in 
different ways. Take this up in your distro's documentation or an 
appropriate forum.

That said ... I agree with what Robert told you.

> Let's say I have a firewall script called fw.sh with the following rules in it:

This IS a netfilter issue.

> $IPT -F
> $IPT -X
> $IPT -P INPUT DROP
> $IPT -P OUTPUT DROP
> $IPT -P FORWARD DROP
> 
> $IPT -A FORWARD -i eth0 -o eth0 -s 192.168.10.0/24 -d 192.168.10.0/24
> -m state --state NEW,ESTABLISHED,RELATED -p icmp --icmp-type echo
> request -j ACCEPT
> 
> $IPT -A FORWARD -i eth0 -o eth0 -s 192.168.10.0/24 -d 192.168.10.0/24
> -m state --state NEW,ESTABLISHED,RELATED -p icmp --icmp-type echo
> reply -j ACCEPT

You are only planning to relay pings on your eth0 subnet, 
192.168.10.0/24. All INPUT and OUTPUT packets are dropped, including 
loopback.

This machine won't be performing any useful network service. I strongly 
suspect that your FORWARD rules will never be hit. Are other machines on 
192.168.10.0/24 (eth0) routing through this one somehow?
-- 
     mail to this address is discarded unless "/dev/rob0"
     or "not-spam" is in Subject: header

next prev parent reply	other threads:[~2005-07-08 13:12 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-07-08  5:34 Starting a fw Visham Ramsurrun
2005-07-08  5:47 ` Robert Vangel
2005-07-08  6:00   ` Venkata Narayana
2005-07-08 13:12 ` /dev/rob0 [this message]
     [not found] ` <9927912d05071022336896dbb@mail.gmail.com>
2005-07-11  7:35   ` Robert Vangel

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=42CE7BA8.30704@gmx.co.uk \
    --to=rob0@gmx.co.uk \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.