Re: patch-o-matic drop table patch

To: debian-user@lists.debian.org
Subject: Re: patch-o-matic drop table patch
From: Quenten Griffith <qgriffith@edm1.com>
Date: Wed, 25 Sep 2002 10:46:17 -0400
Message-id: <[🔎] 3D91CC39.3080506@edm1.com>
References: <[🔎] 3D91AC91.30409@edm1.com> <[🔎] 20020925090444.2f6dcd28.jcollins@asgardsrealm.net> <[🔎] 3D91C524.2060406@edm1.com> <[🔎] 20020925093022.05708275.jcollins@asgardsrealm.net>

Well thank you for your advice, I was trying to be lazy and not have todo it by hand for as long as possiable not so many hours in a day sigh.Time to dust off the ol' Linux Firewall Book and take a look at yourweb page. At least this problem I can work on during work since it isbecause of them I am having this problem. I upgraded our CheckpointFirewall to the newist version and all of a sudden my firewall that INAT through from my windows box can no longer talk to our checkpointfirewall using checkpoint client vpn tools. I know nothing on my endchanged and of course Checkpoint can't help.


Jamin W.Collins wrote:

On Wed, 25 Sep 2002 10:16:04 -0400 Quenten Griffith <qgriffith@edm1.com>
wrote:

Ok your crazy...........using Fwbuilder if you want to use an optioncalled "log all dropped traffic" you need to have the drop table patchapplied to your kernel.


Ahhh... you didn't indicate that it was a limitation of Fwbuilder that was
causing the need.  It is a simple matter to log all dropped packets under
iptables and doesn't require the "drop table patch".  This is of course
assuming that the firewall was designed with this in mind.  However, I'm
not familiar with Fwbuilder specifics.  Here's an overview of how you

could go about this from a normal iptables perspective.

For each table (nat, filter, and mangle) create a new chain, call is
something like <table>_drop (i.e. filter_drop).  Then add two rules to
these new chains, one to log the packet and one to drop the packet.  Then
any time you would have used the DROP target in a give table instead use
the <table>_drop chain as your target instead.  Additionally, make sure
that your default policies for all default chains in a table are set to
DROP and that the last rule in each of the default chains is a LOG target.
Now, any packet that is dropped will be logged just prior to being
dropped.

I implement something very similar to the above in the script I maintain

(http://asgardsrealm.net/linux/firewall).

Reply to:

References:
- patch-o-matic drop table patch
  - From: Quenten Griffith <qgriffith@edm1.com>
- Re: patch-o-matic drop table patch
  - From: Jamin W.Collins <jcollins@asgardsrealm.net>
- Re: patch-o-matic drop table patch
  - From: Quenten Griffith <qgriffith@edm1.com>
- Re: patch-o-matic drop table patch
  - From: Jamin W.Collins <jcollins@asgardsrealm.net>

Prev by Date: mutt/ssmtp - no recipients supplied
Next by Date: Ethernet card problem
Previous by thread: Re: patch-o-matic drop table patch
Next by thread: ATI Radeon + xawtv = fullscreen?
Index(es):
- Date
- Thread