From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-user+bounces-167883-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	by finch.gentoo.org (Postfix) with ESMTP id 3A8CC13888F
	for <garchives@archives.gentoo.org>; Wed,  7 Oct 2015 05:46:33 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 6411221C01B;
	Wed,  7 Oct 2015 05:46:24 +0000 (UTC)
Received: from mail-wi0-f182.google.com (mail-wi0-f182.google.com [209.85.212.182])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 3964CE07D5
	for <gentoo-user@lists.gentoo.org>; Wed,  7 Oct 2015 05:46:23 +0000 (UTC)
Received: by wiclk2 with SMTP id lk2so11745249wic.1
        for <gentoo-user@lists.gentoo.org>; Tue, 06 Oct 2015 22:46:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=from:reply-to:to:subject:date:user-agent:references:in-reply-to
         :mime-version:content-type:content-transfer-encoding:message-id;
        bh=jFLgOf3PpsNktzcc9Ja4y+T34NRPbMgKNfqi23PSXGo=;
        b=lFa0QEB9JV0A2nkOqehAkiVSh9GHH+Ze+o7eaNGBAb6xLIX7Zq/+YDpotm8+YOhIhY
         KkiIfhiYB5OoIrmilEQsDb+KelIy4qh/rSDSHjrLtt2ThUM5lcUH/Eh3wokdMJEiYd/C
         qDogfEvc2SiBU2xqV3ozsMHGNPrSaWkfIB1QRUeB6C1qbvrpNKGXAJK0Ym1jth7mo2cs
         iuoc1XEm2VgrXi5j2UJWTDk03Q7lZelWf+yBeAGBp+bmL1LL/6NaXxQuS1QR/k7vKxRZ
         RTE7n9olVvhMn+akgDX6+efpJV/B5b8a9ML+VB/TMqiGcohWbBZznAZ4XOHrJ5Rx3x22
         8CSg==
X-Received: by 10.194.171.3 with SMTP id aq3mr40314968wjc.54.1444196781858;
        Tue, 06 Oct 2015 22:46:21 -0700 (PDT)
Received: from dell_xps.localnet (230.3.169.217.in-addr.arpa. [217.169.3.230])
        by smtp.gmail.com with ESMTPSA id hx4sm36765296wjb.31.2015.10.06.22.46.19
        for <gentoo-user@lists.gentoo.org>
        (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
        Tue, 06 Oct 2015 22:46:20 -0700 (PDT)
From: Mick <michaelkintzios@gmail.com>
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] workstation iptables
Date: Wed, 7 Oct 2015 06:46:07 +0100
User-Agent: KMail/1.13.7 (Linux/4.0.5-gentoo; KDE/4.14.8; x86_64; ; )
References: <loom.20151006T210434-749@post.gmane.org>
In-Reply-To: <loom.20151006T210434-749@post.gmane.org>
Precedence: bulk
List-Post: <mailto:gentoo-user@lists.gentoo.org>
List-Help: <mailto:gentoo-user+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-user+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-user+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-user.gentoo.org>
X-BeenThere: gentoo-user@lists.gentoo.org
Reply-to: gentoo-user@lists.gentoo.org
MIME-Version: 1.0
Content-Type: multipart/signed;
  boundary="nextPart2112051.QOy4DNc7Jl";
  protocol="application/pgp-signature";
  micalg=pgp-sha256
Content-Transfer-Encoding: 7bit
Message-Id: <201510070646.15772.michaelkintzios@gmail.com>
X-Archives-Salt: 370a1275-c0d3-48b1-90e6-222f7c482b18
X-Archives-Hash: ae054221ff963a3d6fd37a1cb420135d

--nextPart2112051.QOy4DNc7Jl
Content-Type: Text/Plain;
  charset="utf-8"
Content-Transfer-Encoding: quoted-printable

On Tuesday 06 Oct 2015 20:14:59 James wrote:
> Hello,
>=20
> I just ran across this page:
>=20
> http://gentoo-en.vfose.ru/wiki/Iptables/Iptables_and_stateful_firewalls#S=
ta
> te_basics
>=20
> It has a basic firewall using iptables.
> Not bad for a generic firewall on a openrc workstation.
> What is the best way to auto lauch this sort of firewall.sh ?

Start iptables, run the script, stop iptables with '/etc/init.d/iptables st=
op'=20
which will save your rules to /var/lib/iptables/rules-save, or run 'iptable=
s-
save /var/lib/iptables/rules-save'.  Add any sysctl changes to=20
/etc/sysctl.conf, so that they are permanent.  Re-run the script if you wan=
t=20
to change things in it.

=20
> Any improvements in this basic workstation firewall
> everything out, nothing in?

Yes, but such improvements are suggested in subsequent scripts on the same=
=20
page, e.g. ICMP handling, selective logging, etc.  If all you want is "a ba=
sic=20
firewall using iptables" for the IPv4 workspace, then what you have will do=
=20
the job.


> Any good tools to quickly test this firewall from another local
> workstation?

nmap -A -T4 -P0 -vvv -p1-65535 XXX.XX.XXX.XX

=2D-=20
Regards,
Mick

--nextPart2112051.QOy4DNc7Jl
Content-Type: application/pgp-signature; name=signature.asc 
Content-Description: This is a digitally signed message part.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAABCAAGBQJWFLGnAAoJELAdA+zwE4YeGqgH/1yK2XUdfGMhYnSLo+lSYwTL
LDhNdmJ022VaNBCTAf2SZ9rhHAo5NcIe7/5t6/Uz6ktoHEgS+4XUG7CBz6b8HbS4
lrBi60NhSlp40Lu0Bal3m1d71I0rcINFMSY6y0Ug6YJbzfJQyZnu/tRE9cjc2nSV
1QoUJiPghorjyk0xl/6+BOW9BW18s1GgEWJNkkOQ5NiIlf091b0pg56pO62O/UCL
SNaSYH23HYOEtur7rdrhP8gfz44u9tFagHkwECEKaJf9KEenaOWg7Goff2tgyaGv
ipfYxRWOEYjVCcav9vR+dTeBDUTrDE4xraRV59jjBZArCGIbJVjkrKZG1lqfUfs=
=smFU
-----END PGP SIGNATURE-----

--nextPart2112051.QOy4DNc7Jl--