Tugger the SLUGger!SLUG Mailing List Archives

RE: [SLUG] ipchains question


Yes and the order of your rules is also important, because a network packet
is checked against those rules. Starting at the top.
Checking one by one.
If it finds an applicable rule it will action it (ACCEPT, DENY, REJECT or
REDIRECT) and stop checking any further rules.
If no applicable rule is found the default policy (usually, but not always,
DENY) is applied to the packet and actioned.

The example you gave is a log entry, that indicates, that a packet (proto 17
is TCP??) from 129.78... to 129.78... has been denied.

Also the existence of the log entry as such indicates, that the DENY must be
a rule, that has the -l option activated, as default policies do not log
denied (or accepted) packets.


Your ruleset also does not allow port 53 udp as well as 53 tcp. Both are
necessary for DNS resolution.

Hope this helps.

Bernhard Lüder

This electronic mail is solely for the use of the addressee and may contain
information that is confidential or privileged.  If you receive this
electronic mail in error, please delete it from your system immediately and
notify the sender by electronic mail.


-----Original Message-----
From: slug-admin@xxxxxxxxxxx [mailto:slug-admin@xxxxxxxxxxx]On Behalf Of
Crossfire
Sent: Wednesday, February 21, 2001 6:10 PM
To: Danny Yee; slug@xxxxxxxxxxx
Subject: Re: [SLUG] ipchains question


Danny Yee was once rumoured to have said:
> When I try to turn firewalling on, I'm having long DNS delays, and reports
> like this in my logfile

Then something is wrong.

> Feb 21 17:41:53 stravinsky kernel: Packet log: input DENY ppp0 PROTO=17
129.78.###.###:65535 129.78.###.###:65535 L=28 S=0x00 I=19120 F=0x4022 T=252
(#17)
> (with actual IP addresses #ed)

Thats just a log entry for a packet that failed to match.. big loss.


>
> But ipchains -L reports

[partial rules snipped]
>
> Can someone tell me what I'm doing wrong?

If you gave us the full-ruleset, we might be able to tell you.

The key thing to remember with ipchains is that it uses first match,
unlike {Net,Open}BSD's ipf which use last match.

C.
--
--==============================================--
  Crossfire      | This email was brought to you
  xfire@xxxxxxxx | on 100% Recycled Electrons
--==============================================--

--
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug