Re: Contribution to Slitaz - firewall.conf

[ Thread Index | Date Index | More lists.tuxfamily.org/slitaz Archives ]


Hi Rohit,

Here is my firewall.conf. The important line is :

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

It block all input connections wich are not initialized by user. Please
note that iptables don't filter ipv6 (ip6tables do that). So I add :
blacklist ipv6
In my /etc/modprobe.d/blacklist.conf. I think it can be a good solution by
default because ipv6 is not necessary for most users at this moment. With
this firewall.conf and with ipv6 blacklisted the firewall is well
configured by default (my reference, in french, is
http://olivieraj.free.fr/fr/linux/information/firewall/fw-03-07.html. It's
quite old but seems correct at this time). If you don't blacklist ipv6, you
make a whole in your iptables firewall, and users who install it don't want
that :).

In conclusion I suggest that iptables use this conf and blacklist ipv6
module by default when installed, tell user how to re-activate it and warn
about consequences.

Peoples who maintain servers must open input port one by one for new
connections established by others. I keep the exemples in the config file..

I've no access to hg repo and I can eventually use one to update some
little fixs like missing depends or update recipes, but at this time I
prefer send "majors" changes, or thoses wich concern the core, on the list
and let you make the decisions at this important point of the development..

I will send the recipes for fotoxx & depends soon.

GoKhlaYeh

On Tue, 2 Mar 2010 13:49:49 +0000, Rohit Joshi <rj.rohit@xxxxxxxxx> wrote:
> Hi Gokhlayeh,
> 
> Very good work.
> 
> 1) slitaz-icon : for icon theme. E17 flavor is welcome.
> 2) Please do send your iptables work.
> 3) Please go ahead and update fotoxx
> 
> Currently, we have frozen the wok and working on fixing the bugs and
> improving the pkgs/tools. We are not supposed to add any new pkgs
> unless they are required for security/bugs/broken purposes.
> 
> Do you have access to hg repos?? May like to get one if you would like
> to help out.
> 
> Rohit
> 

---
SliTaz GNU/Linux Mailing list - http://www.slitaz.org/


Mail converted by MHonArc 2.6.19+ http://listengine.tuxfamily.org/