From: Mr Dash Four <mr.dash.four@googlemail.com>
To: Eric Leblond <eric@regit.org>
Cc: netfilter@vger.kernel.org, netfilter-devel@vger.kernel.org
Subject: Re: doc: Secure use of iptables and connection tracking helpers
Date: Sat, 03 Dec 2011 14:33:19 +0000 [thread overview]
Message-ID: <4EDA332F.2010409@googlemail.com> (raw)
In-Reply-To: <1322919966.2568.5.camel@ice-age.regit.org>
> Most of them have been fixed by Jan, I will have a cautious look.
>
Much better (in addition to what I posted previously) :-D :
p.1 "tranfers" should be "transfers"
p.1 "This system lays on parsing of data coming or from the user or from
the server. It is thus subject to attack and this is necessary to take
some protections when using connection tracking helpers" should be "The
system relies on parsing of data coming either from the user or the
server. It is, therefore, vulnerable and ("all the necessary
precautions"/"great care") must be taken when using connection tracking
helpers."
p.1 "tracking helpers are thus dependent on" should be "tracking helpers
are therefore dependent on"
p.2 "and it is thus deactivated by default." should be "and it is
therefore deactivated by default."
p.2. "They permit to activate the extended but dangerous features of
some protocols." should be "They permit activation of the extended, but
dangerous, features of some protocols."
p.3 "All iptables lines using “-m state --state RELATED” should be used
in conjunction with the choice of a helper. Doing that, you " should be
"The following iptables statement should be used in conjunction with the
choice of a helper:- “-m state --state RELATED”. By doing that, you"
p.4 "In particular, you have to do a strict anti-spoofing (has described
below)" should be "In particular, you have to do strict anti-spoofing
(as described below)"
p.4 "For example, let’s say we have a FTP server at IP address 1.2.3.4
running on port 2121" should be "For example, let’s say we have FTP
server running on IP address 1.2.3.4 and port 2121"
p.4 "We thus recommand NOT to use module options any more, and use the
CT target instead" should be "Therefore, the use of module options is
NOT recommended any more - please use the CT target instead."
p.4 "Each wanted helper use is then set by using a call to the CT
target." should be "Each helper we need to use is then set by a call to
the CT target."
> Arghh, the only one link I did not update after the renaming of the
> file:
> http://home.regit.org/wp-content/uploads/2011/11/secure-conntrack-helpers.pdf
>
> I'm hidding...
>
No worries, I enjoyed reading this and it was educational for me too!
next prev parent reply other threads:[~2011-12-03 14:33 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-11-28 17:32 doc: Secure use of iptables and connection tracking helpers Eric Leblond
2011-11-28 20:19 ` Jan Engelhardt
2011-11-28 22:58 ` Eric Leblond
2011-11-29 0:55 ` Jan Engelhardt
2011-11-29 11:27 ` Pablo Neira Ayuso
2011-12-03 10:06 ` Nikolay S.
2011-12-03 11:23 ` Eric Leblond
2011-12-03 12:54 ` Mr Dash Four
2011-12-03 13:05 ` Eric Leblond
2011-12-03 13:41 ` Mr Dash Four
2011-12-03 13:46 ` Eric Leblond
2011-12-03 14:33 ` Mr Dash Four [this message]
2011-12-04 10:56 ` Eric Leblond
2011-12-04 12:08 ` Mr Dash Four
2011-12-04 16:18 ` Jan Engelhardt
2011-12-04 17:19 ` Mr Dash Four
-- strict thread matches above, loose matches on Subject: below --
2011-11-29 11:35 Eric Leblond
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4EDA332F.2010409@googlemail.com \
--to=mr.dash.four@googlemail.com \
--cc=eric@regit.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).