[plug] What was that? (firewall breached?)
Craig Ringer
craig at postnewspapers.com.au
Fri May 16 10:21:05 WST 2003
>>Did iptables fail silently, or was it your iptables /script/ that failed
>>silently?
>
> Yes, you're right. The script, it hung when I reloaded it and didn't get
> beyond flushing the rules.
One handy thing you can do there is structure your scripts so that the
default actions on INPUT, OUTPUT and FORWARD are left at DENY when the
rules are flushed. That way, if something stuffs up you fall offline
rather than opening up to the world. Of course, you wouldn't do this on
a co-lo....
Also, a bit of error checking in scripts is always a good idea. Too bad
the shell doesn't have anything like Python's try blocks.
>>as for re-initing it... if you're on something like a dialup link or DSL
>>with a dynamic IP, you should be flushing and re-initing at every
>>connect. Otherwise, there should be no need unless some other program on
>>your system is stuffing up your rules.
>
> I have a permanent IP but I'm feeling paranoid at the moment :).
Its a good idea with static IP DSL as well, if you're using PPPoE, come
to think of it. You /might/ (I'm not sure off the top of my head) lose
any '-i ppp0' or '-o ppp0' rules if ppp goes down... anyway, paranoia is
always advised. I still find myself thinking in terms of my old bridged
DSL connection far too often.
Craig
More information about the plug
mailing list