Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S265029AbUIVMmS (ORCPT ); Wed, 22 Sep 2004 08:42:18 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S265195AbUIVMmR (ORCPT ); Wed, 22 Sep 2004 08:42:17 -0400 Received: from out007pub.verizon.net ([206.46.170.107]:25282 "EHLO out007.verizon.net") by vger.kernel.org with ESMTP id S265029AbUIVMlg (ORCPT ); Wed, 22 Sep 2004 08:41:36 -0400 From: Gene Heskett Reply-To: gene.heskett@verizon.net Organization: Organization: None, detectable by casual observers To: linux-kernel@vger.kernel.org, root@chaos.analogic.com Subject: Re: [PATCH] Warn people that ipchains and ipfwadm are going away. Date: Wed, 22 Sep 2004 08:41:34 -0400 User-Agent: KMail/1.7 Cc: Martin Josefsson , Rusty Russell , Marc Ballarin , Linus Torvalds , netfilter-devel@lists.netfilter.org, "David S. Miller" References: <1095721742.5886.128.camel@bach> In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200409220841.34453.gene.heskett@verizon.net> X-Authentication-Info: Submitted using SMTP AUTH at out007.verizon.net from [141.153.73.88] at Wed, 22 Sep 2004 07:41:35 -0500 Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 3728 Lines: 90 On Wednesday 22 September 2004 08:05, Richard B. Johnson wrote: >On Wed, 22 Sep 2004, Martin Josefsson wrote: >> On Wed, 22 Sep 2004, Richard B. Johnson wrote: >> > > Sure, but you have to start somewhere. Next step will be >> > > #error. Then finally remove the whole thing (I don't want to >> > > remove the whole thing to start with, since that would create >> > > a silent failure). >> > > >> > > Cheers, >> > > Rusty. >> > > -- >> > >> > What replaces the firewall stuff? It can't just "go away"! >> >> Ever heard of iptables? >> >> /Martin > >I guess I'll have to convert 1340 lines of ipchains commands to >iptables -yech! Ouch! If it takes 1340 lines of ipchains commands, a direct translation to iptables syntax is both counter-productive and extremely wastefull of system resources, cpu in particular. I admittedly have a dsl router in front of my machine, so it does 99% of that job, but if I wanted to put up with the idiosyncracies of the Roaring Penguin PPPoE, I could skip the router and be just as secure with the less than 30 active lines of my present iptables script. With the router, I'm invisible to the outside world. Of course that does restrict me some as I've not figured out how to drill a hole thru all that to allow a torrent server to function. The peace of mind is worth that loss IMO. Its been over a year now since portsentry-1.1 saw a trigger and logged it. Humm, thats a lie, from the firewalls /var/log/messages.1 file: [root@gene root]# grep attackalert /var/log/messages* /var/log/messages.1:Sep 16 18:09:16 gene portsentry[1159]: attackalert: UDP scan from host: home1.bellatlantic.net/199.45.32.43 to UDP port: 32771 /var/log/messages.1:Sep 16 18:09:16 gene portsentry[1159]: attackalert: Host 199.45.32.43 has been blocked via wrappers with string: "ALL: 199.45.32.43" /var/log/messages.1:Sep 16 18:09:17 gene portsentry[1159]: attackalert: Host 199.45.32.43 has been blocked via dropped route using command: "/sbin/iptables -I INPUT -s 199.45.32.43 -j DROP" /var/log/messages.1:Sep 16 18:09:17 gene portsentry[1159]: attackalert: UDP scan from host: home1.bellatlantic.net/199.45.32.43 to UDP port: 32771 /var/log/messages.1:Sep 16 18:09:17 gene portsentry[1159]: attackalert: Host: home1.bellatlantic.net/199.45.32.43 is already blocked Ignoring Time to send another nastygram to verizon since thats one of their nameservers, and clear out that address from the hosts.deny file. FWIW, the last time that happened, in April 2003, the hack attempt trashed a siemans router and I had to replace it with that linksys. Must be time to change the user and password in it again too... FWIW, verizon has apparently a problem keeping their nameservers from being hacked. >I had convert something to ipchains a couple of years ago. >That's when I only had to kill-off only about 100 spam-hosts. > >Now I gotta convert again. Soon they'll be replacing `ls` >with `echo *` and nothing will work. Surely you jest? >Cheers, >Dick Johnson >Penguin : Linux version 2.4.26 on an i686 machine (5570.56 > BogoMips). Note 96.31% of all statistics are fiction. -- Cheers, Gene "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) 99.26% setiathome rank, not too shabby for a WV hillbilly Yahoo.com attorneys please note, additions to this message by Gene Heskett are: Copyright 2004 by Maurice Eugene Heskett, all rights reserved. - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/