cipherdyne.org

Michael Rash, Security Researcher



Linux Firewalls: Errata List

Page 23 (thanks to Tessio F.): The -s $INT_NET criteria for the ACCEPT rule for SSH traffic is redundant (although it doesn't harm anything). In addition, there should be an additional rule in the ACCEPT section to accept traffic from the loopback interface: $IPTABLES -A INPUT -i lo -j ACCEPT NOTE: The following errors have been corrected in the second printing of the Linux Firewalls book, which is available as of May, 2008 at amazon.com and at bookstores such as Barnes and Noble.

Pages 24-26 (thanks to Rik Farrow): There should be two additional iptables rules to allow DNS zone transfer queries (over tcp/53) to be initiated from the iptables firewall system or from the internal network. These rules are as follows, and have been integrated with the iptables.sh script: $IPTABLES -A OUTPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 53 -m state --state NEW -j ACCEPT
Page 174 (thanks to Harvey Muller): The "-D" should be "-I" in this iptables command listing: [iptablesfw]# iptables -D INPUT 1 -i lo -d 127.0.0.2 -m string --string "testing " --algo bm -j ACCEPT Page 249 (thanks to William Leemans): The string "INPUT -m state" should be "INPUT 1 -m state" in the first iptables command listing: [root@spaserver ~]# iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT Page 249 (thanks to William Leemans): The time stamp "Oct 18 15:48:08" should be "Oct 18 15:48:38" in the last code listing: Oct 18 15:48:08 spaserver knoptm: removed iptables FWKNOP_INPUT_ACCEPT rule for 204.23.X.X -> tcp/22, 30 second timeout exceeded

Please email me if you discover an error within the book " Linux Firewalls: Attack Detection and Response with iptables, psad, and fwsnort" so that I can add it to this page.

If you would like to discuss a technical point in the book that is not a result of a mistake or technical error, you can always post your query to one of the following mailing lists (and you are always welcome to email me directly if you prefer):

  • psad mailing list - A list for the discussion of iptables log analysis and any topic related to the psad project.
  • fwsnort mailing list - Dedicated to the discussion of fwsnort and the combination of signature based intrusion detection and iptables policies.
  • fwknop mailing list - Dedicated to the discussion of the fwknop project, Single Packet Authorization (SPA), and the advantages the combination of a default-drop packet filter and a packet sniffer can provide to network services.