** Reply to message from David Kramer <[EMAIL PROTECTED]> on Thu, 08 Aug 2002 12:41:23 -0700
> Im new to Iptables and I was wondering if the example netfilters provides > for setting up Iptables (rc.firewall.txt) was any good? Are there any > exploits that I should fix within this example? Any insight would be great. > Thanks, Dave - The only sage advice I could come up with is to use the most recent iptables code you can find - either 1.2.6a from the rawhide repository on redhat's ftp servers, or go for the latest iptables release from the homepage of the netfilter project. The only bug that remains unfixed to my knowledge that affects everybody is the potential leakage of inside info through icmp on the output chain. The best way to protect yourself from that is to ensure the following rule is included somewhere before the final rule: /sbin/iptables -A OUTPUT -p icmp -m state --state INVALID -j DROP This is a hard one to fix within the current netfilter framework so everybody should have this rule in their iptables rulesets. jb -- Jack Bowling mailto: [EMAIL PROTECTED] -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
