Closed popoviciri closed 5 years ago
Aren't both of these configs doing the same thing just with different modules?
The missing rule is -A INPUT -m conntrack --ctstate INVALID -j DROP which drops all the "bad flag" combinations by using the connection tracking extension (conntrack) in the kernel. Having using it for the flag check, makes sense to replace state with conntrack as well. Just a suggestion. In the end, whoever goes with McDebian on their router, should know how to configure the firewall. Cheers!
The missing rule is -A INPUT -m conntrack --ctstate INVALID -j DROP which drops all the "bad flag" combinations by using the connection tracking extension (conntrack) in the kernel. Having using it for the flag check, makes sense to replace state with conntrack as well. Just a suggestion. In the end, whoever goes with McDebian on their router, should know how to configure the firewall. Cheers!
Thanks for the suggestion :smile:
AFAIK the below line in McDebian firewall config does the same thing as the conntrack line:
:FORWARD DROP [0:0]
I did some research and it seems that state is aliased to conntrack in the newer iptables anyway :smiley:
Currently, the default INPUT iptables config is:
-A INPUT -i lo -j ACCEPT
-A INPUT -i br0 -j ACCEPT
-A INPUT -i wan -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i wan -p icmp -j ACCEPT
consider changing to the stateful config:
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i br0 -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p icmp -j ACCEPT
ref: Simple Stateful Firewall