From mboxrd@z Thu Jan 1 00:00:00 1970 From: =?iso-8859-1?Q?Oriol_Magran=E9?= Subject: Simple question Date: Wed, 5 May 2004 17:27:23 +0200 Sender: netfilter-admin@lists.netfilter.org Message-ID: <001501c432b5$7a5c5f80$a704a8c0@mpro4167> Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0012_01C432C6.3A26C7F0" Return-path: Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: To: netfilter@lists.netfilter.org This is a multi-part message in MIME format. ------=_NextPart_000_0012_01C432C6.3A26C7F0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hello! Just one question... I have a firewall with the INPUT, OUTPUT and FORWARD policies set to = DROP, and now I want to allow connections from localhost to localhost = (any port). Which chains are implied here? INPUT? OUTPUT? Both? How should the needed rule(s) be? Thank you very much in advance! Oriol ------=_NextPart_000_0012_01C432C6.3A26C7F0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
 
    Hello!
    Just one=20 question...
    I have a = firewall with the=20 INPUT, OUTPUT and FORWARD policies set to DROP, and now I want to allow=20 connections from localhost to localhost (any port). Which chains are = implied=20 here? INPUT? OUTPUT? Both?
    How should the = needed rule(s)=20 be?
 
    Thank you very much = in=20 advance!
 
    Oriol
 
 
------=_NextPart_000_0012_01C432C6.3A26C7F0-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: Aleksandar Milivojevic Subject: Re: Simple question Date: Wed, 05 May 2004 11:19:50 -0500 Sender: netfilter-admin@lists.netfilter.org Message-ID: <40991426.2000805@pbl.ca> References: <001501c432b5$7a5c5f80$a704a8c0@mpro4167> Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Return-path: In-Reply-To: <001501c432b5$7a5c5f80$a704a8c0@mpro4167> Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="iso-8859-1"; format="flowed" To: =?ISO-8859-1?Q?Oriol_Magran=E9?= Cc: netfilter@lists.netfilter.org Oriol Magran=E9 wrote: > =20 > Hello! > Just one question... > I have a firewall with the INPUT, OUTPUT and FORWARD policies set t= o=20 > DROP, and now I want to allow connections from localhost to localhost=20 > (any port). Which chains are implied here? INPUT? OUTPUT? Both? > How should the needed rule(s) be? You'd need both INPUT and OUTPUT. Just as if it was connection to=20 remote system (just think what rules you would put on both local and=20 remote system if it was remote connection, and than apply both sets of=20 rules to local system, removing duplicates). --=20 Aleksandar Milivojevic Pollard Banknote Limited Systems Administrator 1499 Buffalo Place Tel: (204) 474-2323 ext 276 Winnipeg, MB R3T 1L7 From mboxrd@z Thu Jan 1 00:00:00 1970 From: Antony Stone Subject: Re: Simple question Date: Wed, 5 May 2004 17:25:00 +0100 Sender: netfilter-admin@lists.netfilter.org Message-ID: <200405051725.00610.Antony@Soft-Solutions.co.uk> References: <001501c432b5$7a5c5f80$a704a8c0@mpro4167> Reply-To: Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Return-path: In-Reply-To: <001501c432b5$7a5c5f80$a704a8c0@mpro4167> Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="iso-8859-1" To: netfilter@lists.netfilter.org On Wednesday 05 May 2004 4:27 pm, Oriol Magran=E9 wrote: > Hello! > Just one question... > I have a firewall with the INPUT, OUTPUT and FORWARD policies set t= o > DROP, and now I want to allow connections from localhost to localhost (= any > port). Which chains are implied here? INPUT? OUTPUT? Both? How should t= he > needed rule(s) be? Yes, you need to allow the packets out through OUTPUT, in through INPUT, = and=20 the interfaces will both be lo. If in doubt, just add some LOGging rules and see what happens when you tr= y to=20 send packets. Regards, Antony. --=20 Late in 1972 President Richard Nixon announced that the rate of increase = of=20 inflation was decreasing. This was the first time a sitting president u= sed=20 a third derivative to advance his case for re-election. - Hugo Rossi, Notices of the American Mathematical Society Please reply to the = list; please don't C= C me. From mboxrd@z Thu Jan 1 00:00:00 1970 From: Jim Laurino Subject: Re: Simple question (nfcan: addressed to exclusive sender for this address) Date: Wed, 5 May 2004 12:35:29 -0400 Sender: netfilter-admin@lists.netfilter.org Message-ID: <20040505163529.GA27677@salty> References: <001501c432b5$7a5c5f80$a704a8c0@mpro4167> Reply-To: nfcan.x.jimlaur@dfgh.net Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Return-path: Content-Disposition: inline In-Reply-To: <001501c432b5$7a5c5f80$a704a8c0@mpro4167> (from +nfcan+jimlaur+47365373fb.omagrane#mediapro.es@spamgourmet.com on Wed, May 05, 2004 at 11:27:23 -0400) Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; format="Flowed"; delsp="Yes"; charset="iso-8859-1" To: netfilter@lists.netfilter.org On 2004.05.05 11:27, Oriol Magran=E9 - omagrane@mediapro.es =20 wrote: >=20 > Hello! > Just one question... > I have a firewall with the INPUT, OUTPUT and FORWARD > policies set to DROP, and now I want to allow connections > from localhost to localhost (any port). Which chains are > implied here? INPUT? OUTPUT? Both? > How should the needed rule(s) be? >=20 > Thank you very much in advance! >=20 > Oriol >=20 > I put these simple rules in my INPUT and OUTPUT chains. I checked the counts, and these handle the most traffic, so I put them first in their chains. # accept packets originating on this machine iptables -A INPUT -i lo -j ACCEPT # allow packets from this machine to this machine iptables -A INPUT -o lo -j ACCEPT I hope that helps. Jim From mboxrd@z Thu Jan 1 00:00:00 1970 From: Martijn Lievaart Subject: Re: Simple question Date: Wed, 05 May 2004 19:43:51 +0200 Sender: netfilter-admin@lists.netfilter.org Message-ID: <409927D7.7040705@rtij.nl> References: <001501c432b5$7a5c5f80$a704a8c0@mpro4167> Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Return-path: In-Reply-To: <001501c432b5$7a5c5f80$a704a8c0@mpro4167> Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="iso-8859-1"; format="flowed" To: =?ISO-8859-15?Q?Oriol_Magran=E9?= Cc: netfilter@lists.netfilter.org Oriol Magran=E9 wrote: > > Hello! > Just one question... > I have a firewall with the INPUT, OUTPUT and FORWARD policies set > to DROP, and now I want to allow connections from localhost to > localhost (any port). Which chains are implied here? INPUT? OUTPUT? Bo= th? > How should the needed rule(s) be? > This should do it: -A INPUT -i lo -j ACCEPT -A OUTPUT -i lo -j ACCEPT HTH, M4 From mboxrd@z Thu Jan 1 00:00:00 1970 From: Antony Stone Subject: Re: Simple question Date: Thu, 6 May 2004 22:45:51 +0100 Sender: netfilter-admin@lists.netfilter.org Message-ID: <200405062245.51694.Antony@Soft-Solutions.co.uk> References: <001501c432b5$7a5c5f80$a704a8c0@mpro4167> <409927D7.7040705@rtij.nl> Reply-To: netfilter@lists.netfilter.org Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Return-path: In-Reply-To: <409927D7.7040705@rtij.nl> Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="iso-8859-1" To: netfilter@lists.netfilter.org On Wednesday 05 May 2004 6:43 pm, Martijn Lievaart wrote: > Oriol Magran=E9 wrote: > > Hello! > > Just one question... > > I have a firewall with the INPUT, OUTPUT and FORWARD policies set > > to DROP, and now I want to allow connections from localhost to > > localhost (any port). Which chains are implied here? INPUT? OUTPUT? B= oth? > > How should the needed rule(s) be? > > This should do it: > -A INPUT -i lo -j ACCEPT > -A OUTPUT -i lo -j ACCEPT Actually, I would suggest instead: iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT :) Antony. --=20 "When you talk about Linux versus Windows, you're talking about which=20 operating system is the best value for money and fit for purpose. That's = a=20 very basic decision customers can make if they have the information avail= able=20 to them. Quite frankly if we lose to Linux because our customers say it's= =20 better value for money, tough luck for us." - Steve Vamos, MD of Microsoft Australia Please reply to the = list; please don't C= C me. From mboxrd@z Thu Jan 1 00:00:00 1970 From: Askar Subject: simple question Date: Wed, 27 Apr 2005 16:35:15 +0600 Message-ID: Reply-To: Askar Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Return-path: Content-Disposition: inline List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: netfilter-bounces@lists.netfilter.org Errors-To: netfilter-bounces@lists.netfilter.org Content-Type: text/plain; charset="us-ascii" To: netfilter@lists.netfilter.org hi list If I put "iptables --policy FORWARD ACCEPT" , still I need a line = i-e=20 iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT Regards Askar --=20 I love deadlines. I like the whooshing sound they make as they fly by. Douglas Adams From mboxrd@z Thu Jan 1 00:00:00 1970 From: Mohamed Eldesoky Subject: Re: simple question Date: Wed, 27 Apr 2005 12:50:28 +0200 Message-ID: <1403218a05042703502786f182@mail.gmail.com> References: Reply-To: Mohamed Eldesoky Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Return-path: In-Reply-To: Content-Disposition: inline List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: netfilter-bounces@lists.netfilter.org Errors-To: netfilter-bounces@lists.netfilter.org Content-Type: text/plain; charset="us-ascii" To: Askar , netfilter Yes or No, depends on your rules !! On 4/27/05, Askar wrote: > hi list >=20 > If I put "iptables --policy FORWARD ACCEPT" , still I need a lin= e i-e >=20 > iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT >=20 > Regards >=20 > Askar > -- > I love deadlines. I like the whooshing sound they make as they fly by. > Douglas Adams >=20 >=20 --=20 Mohamed Eldesoky www.eldesoky.net RHCE From mboxrd@z Thu Jan 1 00:00:00 1970 From: Askar Subject: Re: simple question Date: Wed, 27 Apr 2005 16:58:03 +0600 Message-ID: References: <1403218a05042703502786f182@mail.gmail.com> Reply-To: Askar Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Return-path: In-Reply-To: <1403218a05042703502786f182@mail.gmail.com> Content-Disposition: inline List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: netfilter-bounces@lists.netfilter.org Errors-To: netfilter-bounces@lists.netfilter.org Content-Type: text/plain; charset="us-ascii" To: Mohamed Eldesoky Cc: netfilter you mean if I have rules like iptables -P FORWARD ACCEPT iptables -A FORWARD -p tcp --dport 22 -j ACCEPT=20 Then putting ESTABLISHED,RELATED thing will helps? however why should I put ACCEPT rules in FORWARD when the default policy for it is already to accept everything. thanks and regards Askar On 4/27/05, Mohamed Eldesoky wrote: > Yes or No, depends on your rules !! >=20 > On 4/27/05, Askar wrote: > > hi list > > > > If I put "iptables --policy FORWARD ACCEPT" , still I need a l= ine i-e > > > > iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT > > > > Regards > > > > Askar > > -- > > I love deadlines. I like the whooshing sound they make as they fly by. > > Douglas Adams > > > > >=20 > -- > Mohamed Eldesoky > www.eldesoky.net > RHCE >=20 --=20 I love deadlines. I like the whooshing sound they make as they fly by. Douglas Adams From mboxrd@z Thu Jan 1 00:00:00 1970 From: Cedric Blancher Subject: Re: simple question Date: Wed, 27 Apr 2005 13:04:59 +0200 Message-ID: <1114599900.5364.22.camel@anduril.intranet.cartel-securite.net> References: <1403218a05042703502786f182@mail.gmail.com> Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Return-path: In-Reply-To: List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: netfilter-bounces@lists.netfilter.org Errors-To: netfilter-bounces@lists.netfilter.org Content-Type: text/plain; charset="iso-8859-1" To: Askar Cc: netfilter , Mohamed Eldesoky Le mercredi 27 avril 2005 =E0 16:58 +0600, Askar a =E9crit : > you mean if I have rules like > iptables -P FORWARD ACCEPT If you have this, then any ACCEPT rule will be useless. As simple as this. --=20 http://sid.rstack.org/ PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE >> Hi! I'm your friendly neighbourhood signature virus. >> Copy me to your signature file and help me spread! From mboxrd@z Thu Jan 1 00:00:00 1970 From: Cedric Blancher Subject: Re: simple question Date: Wed, 27 Apr 2005 13:07:02 +0200 Message-ID: <1114600023.5364.24.camel@anduril.intranet.cartel-securite.net> References: <1403218a05042703502786f182@mail.gmail.com> <1114599900.5364.22.camel@anduril.intranet.cartel-securite.net> Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Return-path: In-Reply-To: <1114599900.5364.22.camel@anduril.intranet.cartel-securite.net> List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: netfilter-bounces@lists.netfilter.org Errors-To: netfilter-bounces@lists.netfilter.org Content-Type: text/plain; charset="iso-8859-1" To: Askar Cc: netfilter , Mohamed Eldesoky Le mercredi 27 avril 2005 =E0 13:04 +0200, Cedric Blancher a =E9crit : > If you have this, then any ACCEPT rule will be useless. As simple as > this. Well, not quite. It is, except if you want to rely on DROP/ACCEPT combinations to make exclusions and related stuff. --=20 http://sid.rstack.org/ PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE >> Hi! I'm your friendly neighbourhood signature virus. >> Copy me to your signature file and help me spread! From mboxrd@z Thu Jan 1 00:00:00 1970 From: Jason Opperisano Subject: Re: simple question Date: Wed, 27 Apr 2005 10:21:45 -0400 Message-ID: <20050427142144.GA22455@bender.817west.com> References: Mime-Version: 1.0 Return-path: Content-Disposition: inline In-Reply-To: List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: netfilter-bounces@lists.netfilter.org Errors-To: netfilter-bounces@lists.netfilter.org Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: netfilter@lists.netfilter.org On Wed, Apr 27, 2005 at 04:35:15PM +0600, Askar wrote: > hi list > > If I put "iptables --policy FORWARD ACCEPT" , still I need a line i-e > > iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT two thoughts: 1) if your last rule in the FORWARD chain is: iptables -A FORWARD -j DROP then your FORWARD chain POLICY will never be enforced, as all packets will be matched and dropped by the last rule. the only reason i bring this up is that i keep seeing rule sets that do this: POLICY set to ACCEPT and last rule set to DROP. 2) performance. the *vast* majority of packets will match the "-m state --state ESTABLISHED,RELATED" rule. putting it first in your built-in chains means that the vast majority of your packets will only have to traverse one rule before moving on. relying on the chain POLICY to match these packets means these packets have to traverse *every* rule before moving on. for large rule sets, this is just poor design. final thought: setting the default policy of your firewall to ACCEPT isn't very good "firewalling," IMHO--but that's really more of philosophical debate than a technical one. no matter how permissive the rules end up being, I always start with a default deny, and then allow specific traffic. -j -- "Peter: You know, I oughta just give you some beer. Goes straight through you. Stewie: Wonderful. And while we're at it, we can light up a doobie and watch porn. Peter: Eh... yeah?" --Family Guy From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Filka Michal" Subject: simple question Date: Tue, 22 May 2007 14:35:54 +0200 Message-ID: <2DD3CA89774593478BC28081C7392595BEC225@exalfa.stromtelecom.cz> Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Return-path: Content-class: urn:content-classes:message List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: netfilter-bounces@lists.netfilter.org Errors-To: netfilter-bounces@lists.netfilter.org Content-Type: text/plain; charset="us-ascii" To: netfilter@lists.netfilter.org Hi, Can anyone tell me what exactly means an update event. Of course, I have an idea, but I need to confirm it. So, does it mean that "state" attribute changed (E.g. connection state, counter, ... ), or is it related to a "configuration" attribute? Thanks, Michal Filka From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Filka Michal" Subject: RE: simple question Date: Wed, 23 May 2007 07:33:41 +0200 Message-ID: <2DD3CA89774593478BC28081C7392595BEC47B@exalfa.stromtelecom.cz> References: <2DD3CA89774593478BC28081C7392595BEC225@exalfa.stromtelecom.cz> Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Return-path: Content-class: urn:content-classes:message In-Reply-To: List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: netfilter-bounces@lists.netfilter.org Errors-To: netfilter-bounces@lists.netfilter.org Content-Type: text/plain; charset="us-ascii" To: netfilter@lists.netfilter.org I would like to somehow use conntrack's events for very simple synchronization of two connection tracking tables. So, I need to know what should be a reason for particular events. As far as I know there are NEW, UPDATE and DESTROY events available. In case of UPDATE event I'm not sure when it occurs ... So, when is UPDATE event issued? Thanks, Michal Filka >=20 > I'm assuming that "update" originates from the idea of a database > trigger. A trigger is an action performed after another action occurs. > For example, when entering a new record, you could call a procedure to > error check the formatting of the entry. Another example might be to > add a record to a log table which logs the activity which occurs after > a record is updated. >=20 > I'd imagine that what you are talking about (update) is an event > similar to a trigger. This means that the answer would depend on what > the trigger is set for. Maybe it is when state is updated, or maybe it > is when the configuration is updated. Maybe both. >=20 > I have no idea to what you are referring or asking about, so beyond > what I have detailed above, I cannot give you an aswer. >=20 > Sorry. >=20 > On 5/22/07, Filka Michal wrote: > > Hi, > > > > Can anyone tell me what exactly means an update event. Of course, I have > > an idea, but I need to confirm it. > > > > So, does it mean that "state" attribute changed (E.g. connection state, > > counter, ... ), or is it related to a "configuration" attribute? > > > > Thanks, > > > > Michal Filka > > > > > > >=20 >=20 >=20 > -- > I thought about building you a boat to survive the river of tears I'm > crying for you, but the world's smallest violins just aren't a > reliable source of lumber, and that cross you're nailing yourself to > seems buoyant enough anyways - Dr Gregory House, M.D.