--- .../firewall/files/chain_rules/filter/INPUT.head | 2 +- .../firewall/files/chain_rules/filter/INPUT.tail | 2 ++ 2 files changed, 3 insertions(+), 1 deletions(-)
diff --git a/recipes/firewall/files/chain_rules/filter/INPUT.head b/recipes/firewall/files/chain_rules/filter/INPUT.head index e12264a..2ed0a94 100644 --- a/recipes/firewall/files/chain_rules/filter/INPUT.head +++ b/recipes/firewall/files/chain_rules/filter/INPUT.head @@ -1,5 +1,5 @@ # INPUT.head --P INPUT DROP +-P INPUT ACCEPT #-i lo -m comment --comment "localhost access" -j ACCEPT -i lo -j ACCEPT #-m state --state RELATED,ESTABLISHED -m comment --comment "All established/related" -j ACCEPT diff --git a/recipes/firewall/files/chain_rules/filter/INPUT.tail b/recipes/firewall/files/chain_rules/filter/INPUT.tail index d1c2492..1c983ec 100644 --- a/recipes/firewall/files/chain_rules/filter/INPUT.tail +++ b/recipes/firewall/files/chain_rules/filter/INPUT.tail @@ -1,3 +1,5 @@ # INPUT.tail # -m comment --comment "Logging" -m limit --limit 3/minute -j LOG --log-prefix "[IPTABLES] INPUT : " -m limit --limit 3/minute -j LOG --log-prefix "[IPTABLES] INPUT : " + +-j REJECT
Looks right to me. I'll conditional ACK, but I think it would be a good idea to check with Chris (I think he raised the initial concern).
On 02/08/2011 10:41 PM, Mohammed Morsi wrote:
.../firewall/files/chain_rules/filter/INPUT.head | 2 +- .../firewall/files/chain_rules/filter/INPUT.tail | 2 ++ 2 files changed, 3 insertions(+), 1 deletions(-)
diff --git a/recipes/firewall/files/chain_rules/filter/INPUT.head b/recipes/firewall/files/chain_rules/filter/INPUT.head index e12264a..2ed0a94 100644 --- a/recipes/firewall/files/chain_rules/filter/INPUT.head +++ b/recipes/firewall/files/chain_rules/filter/INPUT.head @@ -1,5 +1,5 @@ # INPUT.head --P INPUT DROP +-P INPUT ACCEPT #-i lo -m comment --comment "localhost access" -j ACCEPT -i lo -j ACCEPT #-m state --state RELATED,ESTABLISHED -m comment --comment "All established/related" -j ACCEPT diff --git a/recipes/firewall/files/chain_rules/filter/INPUT.tail b/recipes/firewall/files/chain_rules/filter/INPUT.tail index d1c2492..1c983ec 100644 --- a/recipes/firewall/files/chain_rules/filter/INPUT.tail +++ b/recipes/firewall/files/chain_rules/filter/INPUT.tail @@ -1,3 +1,5 @@ # INPUT.tail # -m comment --comment "Logging" -m limit --limit 3/minute -j LOG --log-prefix "[IPTABLES] INPUT : " -m limit --limit 3/minute -j LOG --log-prefix "[IPTABLES] INPUT : "
+-j REJECT
On 02/10/11 - 12:12:15PM, Mike Orazi wrote:
Looks right to me. I'll conditional ACK, but I think it would be a good idea to check with Chris (I think he raised the initial concern).
Yeah, this is the right thing to do. We probably also want to open up the ssh port, but that can be a follow-on patch.
aeolus-devel@lists.fedorahosted.org
-
Chris Lalancette -
Mike Orazi -
Mo Morsi