forum.excito.com

Unsure...

If you enter the command 'iptables-save' at the command prompt it will just dump the current rules to standard output. The only issue that I'm aware of is that the firewall rules get reloaded on DHCP renewal, but it would be really strange if that occurred every few minutes (seconds?).

That is in fact how the regular firewall operates. It uses 'iptables-save' and 'iptables-restore' to save and load the rules from the file '/etc/network/firewall.conf'. The firewall script itself is somewhat strange (and has been frowned upon): if you stop or restart the firewall it saves the curren...

Well, the issue here would be the reliability of the source of this file (i.e. You). But yes, you are correct that the kernel source holds an error that causes the version magic to be incorrect. This is controlled by the Makefile and you should change that directly after pulling in the source (befor...

What you did should be sufficient as far as the Bubba is concerned. Most likely the cause of the issue is with your workstation. First off: the application needs to be running to open up port 6112 - was that the case when you checked with `canyouseeme`? If you're not afraid of the DOS prompt you can...

Oh, but that's not the point. The geoip match is just a neat trick to limit as many people as possible without blocking myself when I'm in a known place with an unknown IP address. If you have no use for such a feature, then don't use it. The part that matches your particular search is the ipsets. T...

How about I create a package for the software you need, so you can go straight to the example firewall script?

I'm truly sorry. As said I have been experimenting with this setup in a VM and had not yet done any tests on the B3 itself. If you already installed ipset using aptitude then please remove it. You need to install from source to make this work. aptitude remove ipset cd /usr/src wget http://ipset.netf...

Here's an example script: #!/bin/sh # Which countries to allow access to private services GEOIP_ALLOWED=NL,BE # Names of the ipsets used by the firewall IPSETS="blacklist whitelist" # Which modules to load (some do not auto-load) MODULES="nf_conntrack_ftp ip_set ip_set_hash_ip xt_geoi...

If you like to use the geoip match, you need to have a database (and maintain it regularly). Create the correct folder first (the location is hardcoded in the source): mkdir /usr/share/xt_geoip There are two scripts provided in the xtables-addons source to build the geoip database: a shell script th...

Okay then... Here's a small draft. Let's start with required software. You need 'xtables-addons' and 'ipset' and you want 'sudo' (you need to be root to run ipset). Since not all of these are in the excito repository, we'll need to update the sources list: # Create new file squeeze.list in the sourc...

I know people have been nagging for these modules, but please make them modules and not part of the kernel. I can now no longer operate my VPN because xfrm and netkey are blocking KLIPS.

PROBLEM! I found 2 issues trying to activate my config: 1: The kernel source is corrupted. While compiling the module, it is stamped with an incorrect kernel version, causing it not to load. The fix appears to be to run the following patch content before doing anything else with the source: --- Make...

New patch file...

unpack with command (I'm not allowed to attach a file with .patch extension)

According to the home page CSF may require rewriting some regex rules on Debian. Sounds like tricky business. Fail2ban seems more promising to me, but that may be because I like Shorewall - I wrote a little howto on running this on the B3 just a few topics down. I'm not sure about the "TCP-Wrap...

Hate to budge in, but just rebooting is not sufficient according to the announcements. You have to shut down, actually pull the cord and reconnect after having waited for a few seconds.