From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id B01991381FB for ; Sat, 29 Dec 2012 04:00:56 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 25FD221C009; Sat, 29 Dec 2012 04:00:41 +0000 (UTC) Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com [66.111.4.28]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 5066721C009 for ; Sat, 29 Dec 2012 03:59:33 +0000 (UTC) Received: from compute2.internal (compute2.nyi.mail.srv.osa [10.202.2.42]) by gateway1.nyi.mail.srv.osa (Postfix) with ESMTP id CCDEA20894 for ; Fri, 28 Dec 2012 22:59:32 -0500 (EST) Received: from frontend2.nyi.mail.srv.osa ([10.202.2.161]) by compute2.internal (MEProxy); Fri, 28 Dec 2012 22:59:32 -0500 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=fastmail.co.uk; h= message-id:date:from:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; s=mesmtp; bh=e6G55KL72WRWHkJ+PJKltJbiBMc=; b=hlBmktnyBaeASoSjHT981jJ/Wcgf Bgri7ppPBjbxqejXgvPMIV9Hd37DaWxkxCEjiAIRX8539qgP3lf6s4o90yakl7Gc gadzK1QTVBPC9f7dW9ejWdzn8+dI+WNxkg334nHQCmClY1vSgYgY3npaGmpdQi82 DHo5xcmad97vIHE= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=message-id:date:from:mime-version:to :subject:references:in-reply-to:content-type :content-transfer-encoding; s=smtpout; bh=e6G55KL72WRWHkJ+PJKltJ biBMc=; b=Hb4al2Ob1qLl0U3ob0AswRvax7qEFgkBTa7be5+q/DBAPZ/G8oecbC 3qQRTJ/c6056ippDF2Ohm8Ueckl4tV498ZUqHWODzhMF0CEgZD4xfNzIdY+1AjsT 9XEa9OM14DAjshZL2PSf1s7qjN69Ojzs5t+XtjNRr8OOOydxxP0uQ= X-Sasl-enc: 5e+PSRRfN/tyw94r08THzUR8+BT9BO+XTxlqdQGzHkXW 1356753572 Received: from [192.168.1.126] (unknown [94.170.82.148]) by mail.messagingengine.com (Postfix) with ESMTPA id 4F3F24827AF for ; Fri, 28 Dec 2012 22:59:32 -0500 (EST) Message-ID: <50DE6A94.3060904@fastmail.co.uk> Date: Sat, 29 Dec 2012 03:59:16 +0000 From: Kerin Millar User-Agent: Postbox 3.0.6 (Windows/20121031) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] IPTABLES syntax change? References: <20121227004732.GB5854@waltdnes.org> <50DBA7D0.4060800@orlitzky.com> <87zk0zivjk.fsf@einstein.gmurray.org.uk> <20121227231150.GA9864@waltdnes.org> <50DCDEAF.9020002@orlitzky.com> <20121228035937.GA2949@waltdnes.org> <50DD370F.4070509@orlitzky.com> <20121229024605.GB5340@waltdnes.org> In-Reply-To: <20121229024605.GB5340@waltdnes.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Archives-Salt: a6b54813-a06d-46b0-87fd-2704167ea3d0 X-Archives-Hash: 54a32edc130873d4be66760bd08dcc94 Walter Dnes wrote: > On Fri, Dec 28, 2012 at 01:07:11AM -0500, Michael Orlitzky wrote >> On 12/27/2012 10:59 PM, Walter Dnes wrote: >>> Here's my revised "Paranoia Plus" ruleset. Any comments? Because I'm >>> behind a NAT-ing ADSL router/modem, many of my rules rarely see hits. >>> However, I do have a backup dialup connection in case of problems, so >>> most of my rules don't specify the network interface. A couple of >>> notes... >>> >> I did a bunch of inline comments below as I was trying to understand the >> rules. At the end I give the tl;dr, but maybe the inline comments are >> useful too. > > Thanks. My ruleset has accumulated years of cruft. I should really > sit down and rewrite the thing from square 1. I have one comment. You > show what appears to be a bash script for setting up the rules. I work > with the contents of file /var/lib/iptables/rules-save instead. > Calling iptables repeatedly from a shell script is not advisable. A better approach is described by Jan Engelhardt in his "Towards the perfect ruleset" document: http://inai.de/documents/Perfect_Ruleset.pdf The method of working with /var/lib/iptables/rules-save is very similar to that which he describes. Cheers, --Kerin