Skip to main content

Thread: Hey all you firewall creators -- Let's talk

-

on subject of linux firewalls, there seems lot of discussion opening or allowing ports, lot of other finer nuances seemed missed.

see code floating around internet such following, commonly added ip start scrips:

echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
echo "2" > /proc/sys/net/ipv4/conf/all/rp_filter
echo "30" > /proc/sys/net/ipv4/tcp_fin_timeout
echo "2400" > /proc/sys/net/ipv4/tcp_keepalive_time
echo "0" > /proc/sys/net/ipv4/tcp_window_scaling
echo "0" > /proc/sys/net/ipv4/tcp_sack
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "0" > /proc/sys/net/ipv4/tcp_timestamps
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
echo "0" > /proc/sys/net/ipv4/conf/all/send_redirects

these kernel modifications effective, , there others should added firewall startup script?

quote posted kevdog view post
on subject of linux firewalls, there seems lot of discussion opening or allowing ports, lot of other finer nuances seemed missed.

see code floating around internet such following, commonly added ip start scrips:

echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
echo "2" > /proc/sys/net/ipv4/conf/all/rp_filter
echo "30" > /proc/sys/net/ipv4/tcp_fin_timeout
echo "2400" > /proc/sys/net/ipv4/tcp_keepalive_time
echo "0" > /proc/sys/net/ipv4/tcp_window_scaling
echo "0" > /proc/sys/net/ipv4/tcp_sack
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "0" > /proc/sys/net/ipv4/tcp_timestamps
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
echo "0" > /proc/sys/net/ipv4/conf/all/send_redirects

these kernel modifications effective, , there others should added firewall startup script?
these kernel tuneables , can effective depending on desired result. there few in there performance opposed security enhancements , think depend heavily on type of traffic you're expecting see. system security point of view ones feel important following

code:
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses echo "1" > /proc/sys/net/ipv4/conf/all/log_martians echo "2" > /proc/sys/net/ipv4/conf/all/rp_filter echo "1" > /proc/sys/net/ipv4/tcp_syncookies echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route echo "0" > /proc/sys/net/ipv4/conf/all/send_redirects
as these tuneables focus on either logging or deterring traffic used in malicious nature.

hope helps


Forum The Ubuntu Forum Community Ubuntu Specialised Support Security [ubuntu] Hey all you firewall creators -- Let's talk


Ubuntu

Comments

Post a Comment

Popular posts from this blog

how to devide a circle into equal parts

-
how devide circle equal parts reggie,   depending on version, may able use free divide (length) script available here, setting number,   http://park12.wakwak.com/~shp/lc/et/en_aics_script.html   or may (smart guides friends):   1) use polar grid tool right size of circle, 0 concentric dividers , desired number of radial dividers, , ungroup; 2) extend radial dividers; 3) select circle , use scissors tool @ intersections (smart guides intersect ), may need select remaining parts underway.   or may (smart guides friends):   1) create vertical line through top , bottom (or left , right) anchor points line tool; 2) rotate copies @ relevant angles (to half number of cuts division); 3) select circle , use scissors tool @ intersections (smart guides intersect ), may need select remaining parts underway. More discussions in Illustrator adobe
Read more

"Could not fill because there are not enough opaque source pixels" - not solved by any other thread

-
i'm getting error posted in thread's title , have no idea why.  working image not transparent in way. 100% opacity.  in fact, doesn't matter work with, every time try fill selection on layer in doc, error.  ideas???  thanks   scott probably see screen shot of photoshop layers panel open. at point guess can make wrong layer selected, once see screen, else may pop out @ me, or else reading thread. More discussions in Photoshop for Beginners adobe
Read more

Why can't I change the billing info for my account?

-
hi all,   about 3 weeks ago issued new corporate cc number. have been trying since find way update in website. everytime try load billing info message 'there has been error on our side, please try again later.' has been happening weeks now. decided, if they're not going fix it, i'll call support.   i reported bug support, no response.   i called support , sat on hold update cc. hung on when should have been answered. happened twice (i'm persistent).   i registered call-back. got call-back, , told needed go person. got warm transfer because of above problem.   this person told me needed talk yet different team, , schedule call me in 1-2 hours.   it has been on week, maybe week , half since supposed receive call-back, , ticket updated yesterday; they've tried reach me no success (yeah, right), them do? left note: call me @ number within next 4 hours, , can settle this. guess got pacific time support team, because called 16 hours later (i'm gmt, way; company u...
Read more