Chadster766
commented
5 years ago Aren't both of these configs doing the same thing just with different modules?
Closed popoviciri closed 5 years ago
Chadster766
commented
5 years ago Aren't both of these configs doing the same thing just with different modules?
popoviciri
commented
5 years ago The missing rule is -A INPUT -m conntrack --ctstate INVALID -j DROP which drops all the "bad flag" combinations by using the connection tracking extension (conntrack) in the kernel. Having using it for the flag check, makes sense to replace state with conntrack as well. Just a suggestion. In the end, whoever goes with McDebian on their router, should know how to configure the firewall. Cheers!
Chadster766
commented
5 years ago The missing rule is -A INPUT -m conntrack --ctstate INVALID -j DROP which drops all the "bad flag" combinations by using the connection tracking extension (conntrack) in the kernel. Having using it for the flag check, makes sense to replace state with conntrack as well. Just a suggestion. In the end, whoever goes with McDebian on their router, should know how to configure the firewall. Cheers!
Thanks for the suggestion :smile:
AFAIK the below line in McDebian firewall config does the same thing as the conntrack line:
:FORWARD DROP [0:0]I did some research and it seems that state is aliased to conntrack in the newer iptables anyway :smiley:
Currently, the default INPUT iptables config is:
-A INPUT -i lo -j ACCEPT-A INPUT -i br0 -j ACCEPT-A INPUT -i wan -m state --state RELATED,ESTABLISHED -j ACCEPT-A INPUT -i wan -p icmp -j ACCEPTconsider changing to the stateful config:
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT-A INPUT -i lo -j ACCEPT-A INPUT -i br0 -j ACCEPT-A INPUT -m conntrack --ctstate INVALID -j DROP-A INPUT -p icmp -j ACCEPTref: Simple Stateful Firewall