Comments (5)
hello,
@1: actually yes and no. if i define some rules like black or whitelisted ips, then i KNOW everything with that source ips is ok or hostile, so i either allow anything or block anything. so i have no reason for further checks. same is true for custom rules. i am not 100% sure on opening ports. i have to think about this - thanks for the hint.
@2: not sure about this, have to investigate about this one too.
@3: this not a dulicate. on lines 66-68 i define a chain and apply some rules to the chain. on line 146 i push the packets to the chain. (think of defining a function and calling it later)
@4: i cant see a reason to log martian packets. i dont gain usefull information by storing packets with a bogus source ip. e.g. i cant analyze the logs and blacklist ips (because they are not the real ip). if i would log them, they just eat up disc space or even worse fill up the entire disk and take the whole host down (flooding). this is why i limit logging on portscans and invalid packets as well.
@5: i think about that too, when i rearange the execution order (see answer 1). but you can uncomment line 96 if you dont want icmp. i happen to like my hosts pingable :)
@6: no i dont think you have to restart another service, not 100% sure thou.
generally: its a boilerplate, no full blown firewall or a service or a deamon. boilerplate means i copy this to every host during setup, but i change the script if i need to. there ist no way to write a fw-script that is good for all hosts or usecases. think of it as a blueprint with sane defaults, but its absolutly ok to add or delete stuff.
from iptables-boilerplate.
@3: ok, I see, thank you.
@4: I understand your point of view. Need to think about it.
@5: me too! But I fear ICMP flood. That's why I think that we need a limit for echo-requests.
I searched a lot on the web, and your boilerplate is clearly the best for me. Well thought out, well structured and documented. I analysed it, to be sure that everything is inside (and more specifically: security against attacks).
from iptables-boilerplate.
@bmaeser : Can you update your script for Ubuntu 16.04 ?
from iptables-boilerplate.
yes, its in my pipeline to port this project to systemd (among other things, like splitting it up into ipv4 and ipv6 settings). the problem is, i havent had much time lately and i guess it will be at least a couple more weeks till i get to it.
i suggest using ufw on ubuntu in the meantime.
from iptables-boilerplate.
Thank you very much. I'm waiting for the next update :D
from iptables-boilerplate.
Related Issues (9)
- Problem with sample script "all-new-limit" on ubuntu 12.04 HOT 6
- create a makefile for easy installation
- add port ranges to services.conf
- Warnings from LSB Default values HOT 1
- splitt it up into ipv4 and ipv6
- port to systemd HOT 3
- Ready for Debian 9? HOT 1
- ksoftirqd/0 utilizes 100% CPU during portscan HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from iptables-boilerplate.