* PPTP Question
@ 2002-10-22 5:20 Rommy Taslim
2002-10-22 15:42 ` nmap antonio
0 siblings, 1 reply; 18+ messages in thread
From: Rommy Taslim @ 2002-10-22 5:20 UTC (permalink / raw
To: netfilter
Hi Everyone,
Just a question, is it possible to have two box of linux OS (both
connected to internet with different IP addresses) to do VPN/PPTP
masquerading to one PPTP server (Windows 2000 box) inside the LAN ?
I only manage to get it to work with one of them (the one that the
Windows 2000 box have a default gateway to).
Thanks in advance !
Rommy
^ permalink raw reply [flat|nested] 18+ messages in thread
* nmap
2002-10-22 5:20 PPTP Question Rommy Taslim
@ 2002-10-22 15:42 ` antonio
2002-10-22 18:25 ` nmap Gaël Le Mignot
` (2 more replies)
0 siblings, 3 replies; 18+ messages in thread
From: antonio @ 2002-10-22 15:42 UTC (permalink / raw
To: netfilter
Hi Everyone,
Just a question:
I want to set up a firewall box with iptables in which I can use nmap.
Which ports/protocols can I set to ACCEPT and which to DROP?
Thanks in advance !
Antonio
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: nmap
2002-10-22 15:42 ` nmap antonio
@ 2002-10-22 18:25 ` Gaël Le Mignot
2002-10-22 19:12 ` nmap antonio
2002-10-22 18:31 ` nmap Antony Stone
2002-10-22 23:25 ` nmap Nick Drage
2 siblings, 1 reply; 18+ messages in thread
From: Gaël Le Mignot @ 2002-10-22 18:25 UTC (permalink / raw
To: antonio; +Cc: netfilter
Tue, 22 Oct 2002 17:42:45 +0200, tu as dit :
> Hi Everyone,
> Just a question:
> I want to set up a firewall box with iptables in which I can use nmap.
> Which ports/protocols can I set to ACCEPT and which to DROP?
I advise you to set the policy at DROP, and to accept:
* RELATED, ESTABLISHED packets
* NEW packets on the ports you _need_ to open (80 if you host a web server,
22 if you want to allow remote login using ssh and so on).
* ICMP echo-request packets
This is a basic and a simple firewall and should be a good start.
--
Gael Le Mignot "Kilobug" - kilobug@freesurf.fr - http://kilobug.free.fr
GSM : 06.71.47.18.22 (in France) ICQ UIN : 7299959
Fingerprint : 1F2C 9804 7505 79DF 95E6 7323 B66B F67B 7103 C5DA
Member of HurdFr: http://hurdfr.org - The GNU Hurd: http://hurd.gnu.org
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: nmap
2002-10-22 15:42 ` nmap antonio
2002-10-22 18:25 ` nmap Gaël Le Mignot
@ 2002-10-22 18:31 ` Antony Stone
2002-10-22 22:38 ` nmap hellbreak
2002-10-22 23:25 ` nmap Nick Drage
2 siblings, 1 reply; 18+ messages in thread
From: Antony Stone @ 2002-10-22 18:31 UTC (permalink / raw
To: netfilter
On Tuesday 22 October 2002 4:42 pm, antonio wrote:
> Hi Everyone,
>
> Just a question:
> I want to set up a firewall box with iptables in which I can use nmap.
> Which ports/protocols can I set to ACCEPT and which to DROP?
Do you mean you want to run nmap on a box also running netfilter, to scan
other machines ?
If so, set your OUTPUT policy to ACCEPT, set your INPUT policy to DROP with a
single rule:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
and you'll be able to scan other machines and get the replies back, but
anything new coming in to your machine will be blocked.
If I didn't understand correctly what you wanted to do please give more
details.
Antony.
--
Which part of 'apt-get dist-upgrade' do you not understand ???
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: nmap
2002-10-22 18:25 ` nmap Gaël Le Mignot
@ 2002-10-22 19:12 ` antonio
2002-10-22 21:05 ` nmap Gaël Le Mignot
0 siblings, 1 reply; 18+ messages in thread
From: antonio @ 2002-10-22 19:12 UTC (permalink / raw
To: netfilter
Ok,but in order to set the policy at DROP,which port/protocols I have to set at ACCEPT to allow nmap from firewall box to anywhere nad from LAN to anywhere?
On Tue, 22 Oct 2002 20:25:11 +0200
kilobug@freesurf.fr (Gaël Le Mignot) wrote:
>
> Tue, 22 Oct 2002 17:42:45 +0200, tu as dit :
>
> > Hi Everyone,
> > Just a question:
> > I want to set up a firewall box with iptables in which I can use nmap.
> > Which ports/protocols can I set to ACCEPT and which to DROP?
>
> I advise you to set the policy at DROP, and to accept:
> * RELATED, ESTABLISHED packets
> * NEW packets on the ports you _need_ to open (80 if you host a web server,
> 22 if you want to allow remote login using ssh and so on).
> * ICMP echo-request packets
>
> This is a basic and a simple firewall and should be a good start.
>
> --
> Gael Le Mignot "Kilobug" - kilobug@freesurf.fr - http://kilobug.free.fr
> GSM : 06.71.47.18.22 (in France) ICQ UIN : 7299959
> Fingerprint : 1F2C 9804 7505 79DF 95E6 7323 B66B F67B 7103 C5DA
>
> Member of HurdFr: http://hurdfr.org - The GNU Hurd: http://hurd.gnu.org
>
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: nmap
@ 2002-10-22 19:19 Antonio Paulo Salgado Forster
0 siblings, 0 replies; 18+ messages in thread
From: Antonio Paulo Salgado Forster @ 2002-10-22 19:19 UTC (permalink / raw
To: Antony Stone; +Cc: netfilter
I had problems on scanning through netfilter depending on the kind of scan
you run.. One of the problems you may face in case you run a ACK scan from
a segment that has the permition for the traffic, you will have your
conntrack full in a few seconds with ESTABLISHED connections that will take
long to disappear.. The same will happen when portscanning from the
firewall box with a default policy for OUTPUT set as ACCEPT.
One of the ways to fix this is to increase the size of the conntrack.. I
use to do that when creating the box by changing the source code and
recompiling the kernel... but I dont know if there are any side effects on
doing that..
--Regards,
Forster
Antony Stone <Antony@Soft-Solutions.co.uk>@lists.netfilter.org on
10/22/2002 03:31:42 PM
Sent by: netfilter-admin@lists.netfilter.org
To: netfilter@lists.netfilter.org
cc:
Subject: Re: nmap
On Tuesday 22 October 2002 4:42 pm, antonio wrote:
> Hi Everyone,
>
> Just a question:
> I want to set up a firewall box with iptables in which I can use nmap.
> Which ports/protocols can I set to ACCEPT and which to DROP?
Do you mean you want to run nmap on a box also running netfilter, to scan
other machines ?
If so, set your OUTPUT policy to ACCEPT, set your INPUT policy to DROP with
a
single rule:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
and you'll be able to scan other machines and get the replies back, but
anything new coming in to your machine will be blocked.
If I didn't understand correctly what you wanted to do please give more
details.
Antony.
--
Which part of 'apt-get dist-upgrade' do you not understand ???
^ permalink raw reply [flat|nested] 18+ messages in thread
* RE: nmap
@ 2002-10-22 20:46 Andy Wood
0 siblings, 0 replies; 18+ messages in thread
From: Andy Wood @ 2002-10-22 20:46 UTC (permalink / raw
To: 'Antonio Paulo Salgado Forster'; +Cc: netfilter
echo 32768 > /proc/sys/net/ipv4/ip_conntrack_max
Value should depend on RAM
-----Original Message-----
From: Antonio Paulo Salgado Forster [mailto:aforster@br.ibm.com]
Sent: Tuesday, October 22, 2002 3:19 PM
To: Antony Stone
Cc: netfilter@lists.netfilter.org
Subject: Re: nmap
I had problems on scanning through netfilter depending on the kind of scan
you run.. One of the problems you may face in case you run a ACK scan from a
segment that has the permition for the traffic, you will have your conntrack
full in a few seconds with ESTABLISHED connections that will take long to
disappear.. The same will happen when portscanning from the firewall box
with a default policy for OUTPUT set as ACCEPT.
One of the ways to fix this is to increase the size of the conntrack.. I use
to do that when creating the box by changing the source code and recompiling
the kernel... but I dont know if there are any side effects on doing that..
--Regards,
Forster
Antony Stone <Antony@Soft-Solutions.co.uk>@lists.netfilter.org on 10/22/2002
03:31:42 PM
Sent by: netfilter-admin@lists.netfilter.org
To: netfilter@lists.netfilter.org
cc:
Subject: Re: nmap
On Tuesday 22 October 2002 4:42 pm, antonio wrote:
> Hi Everyone,
>
> Just a question:
> I want to set up a firewall box with iptables in which I can use nmap.
> Which ports/protocols can I set to ACCEPT and which to DROP?
Do you mean you want to run nmap on a box also running netfilter, to scan
other machines ?
If so, set your OUTPUT policy to ACCEPT, set your INPUT policy to DROP with
a single rule:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
and you'll be able to scan other machines and get the replies back, but
anything new coming in to your machine will be blocked.
If I didn't understand correctly what you wanted to do please give more
details.
Antony.
--
Which part of 'apt-get dist-upgrade' do you not understand ???
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: nmap
2002-10-22 19:12 ` nmap antonio
@ 2002-10-22 21:05 ` Gaël Le Mignot
2002-10-22 22:35 ` nmap antonio
0 siblings, 1 reply; 18+ messages in thread
From: Gaël Le Mignot @ 2002-10-22 21:05 UTC (permalink / raw
To: antonio; +Cc: netfilter
Tue, 22 Oct 2002 21:12:21 +0200, tu as dit :
> Ok,but in order to set the policy at DROP,which port/protocols I have to set at ACCEPT to allow nmap from firewall box to anywhere nad from LAN to anywhere?
If you don't block OUTPUT and allow ESTABLISHED and RELATED packets in INPUT,
you don't need to open extra ports. Maybe some extra icmp for "weird" scans,
that's all.
--
Gael Le Mignot "Kilobug" - kilobug@freesurf.fr - http://kilobug.free.fr
GSM : 06.71.47.18.22 (in France) ICQ UIN : 7299959
Fingerprint : 1F2C 9804 7505 79DF 95E6 7323 B66B F67B 7103 C5DA
Member of HurdFr: http://hurdfr.org - The GNU Hurd: http://hurd.gnu.org
^ permalink raw reply [flat|nested] 18+ messages in thread
* RE: nmap
@ 2002-10-22 21:11 Antonio Paulo Salgado Forster
0 siblings, 0 replies; 18+ messages in thread
From: Antonio Paulo Salgado Forster @ 2002-10-22 21:11 UTC (permalink / raw
To: Andy Wood; +Cc: netfilter
thanks for that :-)
Andy Wood <andy.wood@sptrm.com>@lists.netfilter.org on 10/22/2002 05:46:26
PM
Sent by: netfilter-admin@lists.netfilter.org
To: Antonio Paulo Salgado Forster/Brazil/IBM@IBMBR
cc: netfilter@lists.netfilter.org
Subject: RE: nmap
echo 32768 > /proc/sys/net/ipv4/ip_conntrack_max
Value should depend on RAM
-----Original Message-----
From: Antonio Paulo Salgado Forster [mailto:aforster@br.ibm.com]
Sent: Tuesday, October 22, 2002 3:19 PM
To: Antony Stone
Cc: netfilter@lists.netfilter.org
Subject: Re: nmap
I had problems on scanning through netfilter depending on the kind of scan
you run.. One of the problems you may face in case you run a ACK scan from
a
segment that has the permition for the traffic, you will have your
conntrack
full in a few seconds with ESTABLISHED connections that will take long to
disappear.. The same will happen when portscanning from the firewall box
with a default policy for OUTPUT set as ACCEPT.
One of the ways to fix this is to increase the size of the conntrack.. I
use
to do that when creating the box by changing the source code and
recompiling
the kernel... but I dont know if there are any side effects on doing that..
--Regards,
Forster
Antony Stone <Antony@Soft-Solutions.co.uk>@lists.netfilter.org on
10/22/2002
03:31:42 PM
Sent by: netfilter-admin@lists.netfilter.org
To: netfilter@lists.netfilter.org
cc:
Subject: Re: nmap
On Tuesday 22 October 2002 4:42 pm, antonio wrote:
> Hi Everyone,
>
> Just a question:
> I want to set up a firewall box with iptables in which I can use nmap.
> Which ports/protocols can I set to ACCEPT and which to DROP?
Do you mean you want to run nmap on a box also running netfilter, to scan
other machines ?
If so, set your OUTPUT policy to ACCEPT, set your INPUT policy to DROP with
a single rule:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
and you'll be able to scan other machines and get the replies back, but
anything new coming in to your machine will be blocked.
If I didn't understand correctly what you wanted to do please give more
details.
Antony.
--
Which part of 'apt-get dist-upgrade' do you not understand ???
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: nmap
2002-10-22 21:05 ` nmap Gaël Le Mignot
@ 2002-10-22 22:35 ` antonio
2002-10-23 7:35 ` nmap Gaël Le Mignot
0 siblings, 1 reply; 18+ messages in thread
From: antonio @ 2002-10-22 22:35 UTC (permalink / raw
To: netfilter; +Cc: kilobug
OK but if I set the policy OUTPUT at DROP which ports/prot I have to set al ACCEPT?
This's my problem.
On Tue, 22 Oct 2002 23:05:39 +0200
kilobug@freesurf.fr (Gaël Le Mignot) wrote:
>
> Tue, 22 Oct 2002 21:12:21 +0200, tu as dit :
>
> > Ok,but in order to set the policy at DROP,which port/protocols I have to set at ACCEPT to allow nmap from firewall box to anywhere nad from LAN to anywhere?
>
> If you don't block OUTPUT and allow ESTABLISHED and RELATED packets in INPUT,
> you don't need to open extra ports. Maybe some extra icmp for "weird" scans,
> that's all.
>
> --
> Gael Le Mignot "Kilobug" - kilobug@freesurf.fr - http://kilobug.free.fr
> GSM : 06.71.47.18.22 (in France) ICQ UIN : 7299959
> Fingerprint : 1F2C 9804 7505 79DF 95E6 7323 B66B F67B 7103 C5DA
>
> Member of HurdFr: http://hurdfr.org - The GNU Hurd: http://hurd.gnu.org
>
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: nmap
2002-10-22 18:31 ` nmap Antony Stone
@ 2002-10-22 22:38 ` hellbreak
0 siblings, 0 replies; 18+ messages in thread
From: hellbreak @ 2002-10-22 22:38 UTC (permalink / raw
To: netfilter; +Cc: Antony Stone
Thank you Antony for your idea.
But...if I set my OUTPUT to DROP which ports and protocols can I set to ACCEPT to rum nmap to allow scan to other machines?
Thx
On Tue, 22 Oct 2002 19:31:42 +0100
Antony Stone <Antony@Soft-Solutions.co.uk> wrote:
> On Tuesday 22 October 2002 4:42 pm, antonio wrote:
>
> > Hi Everyone,
> >
> > Just a question:
> > I want to set up a firewall box with iptables in which I can use nmap.
> > Which ports/protocols can I set to ACCEPT and which to DROP?
>
> Do you mean you want to run nmap on a box also running netfilter, to scan
> other machines ?
>
> If so, set your OUTPUT policy to ACCEPT, set your INPUT policy to DROP with a
> single rule:
>
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> and you'll be able to scan other machines and get the replies back, but
> anything new coming in to your machine will be blocked.
>
> If I didn't understand correctly what you wanted to do please give more
> details.
>
> Antony.
>
> --
>
> Which part of 'apt-get dist-upgrade' do you not understand ???
>
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: nmap
2002-10-22 15:42 ` nmap antonio
2002-10-22 18:25 ` nmap Gaël Le Mignot
2002-10-22 18:31 ` nmap Antony Stone
@ 2002-10-22 23:25 ` Nick Drage
2 siblings, 0 replies; 18+ messages in thread
From: Nick Drage @ 2002-10-22 23:25 UTC (permalink / raw
To: netfilter
On Tue, Oct 22, 2002 at 05:42:45PM +0200, antonio wrote:
> Hi Everyone,
>
> Just a question:
> I want to set up a firewall box with iptables in which I can use nmap.
I would suggest that you don't run nmap from your firewall, that host should
just be a firewall and nothing else.
--
FunkyJesus System Administration Team
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: nmap
@ 2002-10-23 5:35 zeus
0 siblings, 0 replies; 18+ messages in thread
From: zeus @ 2002-10-23 5:35 UTC (permalink / raw
To: netfilter
> OK but if I set the policy OUTPUT at DROP which ports/prot I have to set to
> ACCEPT? This's my problem.
you can use the ownercmd patch in p-o-m for this:
iptables -A OUTPUT -m owner --cmd-owner nmap -j ACCEPT
-Bob
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: nmap
2002-10-22 22:35 ` nmap antonio
@ 2002-10-23 7:35 ` Gaël Le Mignot
2002-10-23 9:06 ` nmap Gavin
0 siblings, 1 reply; 18+ messages in thread
From: Gaël Le Mignot @ 2002-10-23 7:35 UTC (permalink / raw
To: antonio; +Cc: netfilter
Wed, 23 Oct 2002 00:35:27 +0200, tu as dit :
> OK but if I set the policy OUTPUT at DROP which ports/prot I have to set
> al ACCEPT?
> This's my problem.
every dport/protocol you want to allow to be scanned... You cannot filter
much OUTPUT if you want to allow nmap.
You can use the -m owner with --cmd-owner if it's avaible on your computer
to allow "mmap" initiated connections.
But... what do you want to do by filtering OUTPUT ? Sure, you can drop INVALID
packets, filter floods, stop packets coming from root and so on, but if you
want to allow normal internet activity from the box, you have to allow NEW
connections on OUTPUT to any host/port...
--
Gael Le Mignot "Kilobug" - kilobug@freesurf.fr - http://kilobug.free.fr
GSM : 06.71.47.18.22 (in France) ICQ UIN : 7299959
Fingerprint : 1F2C 9804 7505 79DF 95E6 7323 B66B F67B 7103 C5DA
Member of HurdFr: http://hurdfr.org - The GNU Hurd: http://hurd.gnu.org
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: nmap
2002-10-23 7:35 ` nmap Gaël Le Mignot
@ 2002-10-23 9:06 ` Gavin
2002-10-23 12:02 ` nmap Gaël Le Mignot
0 siblings, 1 reply; 18+ messages in thread
From: Gavin @ 2002-10-23 9:06 UTC (permalink / raw
To: netfilter
> But... what do you want to do by filtering OUTPUT ? Sure, you can drop
INVALID
> packets, filter floods, stop packets coming from root and so on, but if
you
> want to allow normal internet activity from the box, you have to allow NEW
> connections on OUTPUT to any host/port...
There's always a (good) chance that someone will comprimise the machine and
use it to DDOS, scan, spam etc - filtering output to allow only what you
need for normal usage (dns, web, ping etc) makes it less useful as a hacked
box.
Gavin
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: nmap
2002-10-23 9:06 ` nmap Gavin
@ 2002-10-23 12:02 ` Gaël Le Mignot
2002-10-23 12:15 ` nmap Gavin
0 siblings, 1 reply; 18+ messages in thread
From: Gaël Le Mignot @ 2002-10-23 12:02 UTC (permalink / raw
To: Gavin; +Cc: netfilter
Wed, 23 Oct 2002 12:06:49 +0300, tu as dit :
>> But... what do you want to do by filtering OUTPUT ? Sure, you can drop
> INVALID
>> packets, filter floods, stop packets coming from root and so on, but if
> you
>> want to allow normal internet activity from the box, you have to allow NEW
>> connections on OUTPUT to any host/port...
> There's always a (good) chance that someone will comprimise the machine and
> use it to DDOS, scan, spam etc - filtering output to allow only what you
> need for normal usage (dns, web, ping etc) makes it less useful as a hacked
> box.
If you allow users to mail, you allow them to spm. If you allow users to send
requests on tcp 80, you allow them to participe in a DDOS, and so on.
There is no real way to sort out "clean" and "bad" actions at the firewall
level... The only thing you can do is using the 'limit' macth to prevent
some kinds of DoS. And allowing only some ports can be very limitating
for users, since some web servers listenon other ports, they may want to use
cvs pserver (and you didn't think to allow 3128) and so on...
--
Gael Le Mignot "Kilobug" - kilobug@freesurf.fr - http://kilobug.free.fr
GSM : 06.71.47.18.22 (in France) ICQ UIN : 7299959
Fingerprint : 1F2C 9804 7505 79DF 95E6 7323 B66B F67B 7103 C5DA
Member of HurdFr: http://hurdfr.org - The GNU Hurd: http://hurd.gnu.org
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: nmap
2002-10-23 12:02 ` nmap Gaël Le Mignot
@ 2002-10-23 12:15 ` Gavin
2002-10-23 15:25 ` nmap Antony Stone
0 siblings, 1 reply; 18+ messages in thread
From: Gavin @ 2002-10-23 12:15 UTC (permalink / raw
To: Gaël Le Mignot; +Cc: netfilter
> >> But... what do you want to do by filtering OUTPUT ? Sure, you can drop
> > INVALID
> >> packets, filter floods, stop packets coming from root and so on, but
if
> > you
> >> want to allow normal internet activity from the box, you have to allow
NEW
> >> connections on OUTPUT to any host/port...
>
> > There's always a (good) chance that someone will comprimise the machine
and
> > use it to DDOS, scan, spam etc - filtering output to allow only what
you
> > need for normal usage (dns, web, ping etc) makes it less useful as a
hacked
> > box.
>
> If you allow users to mail, you allow them to spm. If you allow users to
send
> requests on tcp 80, you allow them to participe in a DDOS, and so on.
> There is no real way to sort out "clean" and "bad" actions at the
firewall
> level... The only thing you can do is using the 'limit' macth to prevent
> some kinds of DoS. And allowing only some ports can be very limitating
> for users, since some web servers listenon other ports, they may want to
use
> cvs pserver (and you didn't think to allow 3128) and so on...
Would I be right in thinking that the OUTPUT chain only filters traffic
originating from the firewall box itself, and that any traffic coming from
your clients would fall into the FORWARD chain? If that is the case, then
filtering OUTPUT would have no effect on your users' ability to surf, mail
etc, but only on the firewall box's ability to generate traffic.
Gavin
> Gael Le Mignot "Kilobug" - kilobug@freesurf.fr - http://kilobug.free.fr
> GSM : 06.71.47.18.22 (in France) ICQ UIN : 7299959
> Fingerprint : 1F2C 9804 7505 79DF 95E6 7323 B66B F67B 7103 C5DA
>
> Member of HurdFr: http://hurdfr.org - The GNU Hurd: http://hurd.gnu.org
>
>
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: nmap
2002-10-23 12:15 ` nmap Gavin
@ 2002-10-23 15:25 ` Antony Stone
0 siblings, 0 replies; 18+ messages in thread
From: Antony Stone @ 2002-10-23 15:25 UTC (permalink / raw
To: netfilter
On Wednesday 23 October 2002 1:15 pm, Gavin wrote:
> Would I be right in thinking that the OUTPUT chain only filters traffic
> originating from the firewall box itself, and that any traffic coming from
> your clients would fall into the FORWARD chain? If that is the case, then
> filtering OUTPUT would have no effect on your users' ability to surf, mail
> etc, but only on the firewall box's ability to generate traffic.
Yes, you are correct in this understanding of what the OUTPUT and FORWARD
chains are for, however I believe this thread started by asking about setting
up rules in the OUTPUT chain to enable nmap to be used *from the box which
the netfilter rules are on*.
Therefore the packets being discussed are all locally generated anyway.
Antony.
--
All matter in the Universe can be placed into one of two categories:
1. things which need to be fixed
2. things which will need to be fixed once you've had a few minutes to play
with them
^ permalink raw reply [flat|nested] 18+ messages in thread
end of thread, other threads:[~2002-10-23 15:25 UTC | newest]
Thread overview: 18+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2002-10-22 5:20 PPTP Question Rommy Taslim
2002-10-22 15:42 ` nmap antonio
2002-10-22 18:25 ` nmap Gaël Le Mignot
2002-10-22 19:12 ` nmap antonio
2002-10-22 21:05 ` nmap Gaël Le Mignot
2002-10-22 22:35 ` nmap antonio
2002-10-23 7:35 ` nmap Gaël Le Mignot
2002-10-23 9:06 ` nmap Gavin
2002-10-23 12:02 ` nmap Gaël Le Mignot
2002-10-23 12:15 ` nmap Gavin
2002-10-23 15:25 ` nmap Antony Stone
2002-10-22 18:31 ` nmap Antony Stone
2002-10-22 22:38 ` nmap hellbreak
2002-10-22 23:25 ` nmap Nick Drage
-- strict thread matches above, loose matches on Subject: below --
2002-10-22 19:19 nmap Antonio Paulo Salgado Forster
2002-10-22 20:46 nmap Andy Wood
2002-10-22 21:11 nmap Antonio Paulo Salgado Forster
2002-10-23 5:35 nmap zeus
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.