home bbs files messages ]

Just a sample of the Echomail archive

Cooperative anarchy at its finest, still active today. Darkrealms is the Zone 1 Hub.

   LINUX      Torvalds farts & fans know what he ate      8,232 messages   

[   << oldest   |   < older   |   list   |   newer >   |   newest >>   ]

   Message 5,298 of 8,232   
   Benny Pedersen to Maurice Kinal   
   gentoo profile 17 :=)   
   16 Dec 17 10:03:40   
   
   Hello Maurice!   
      
   14 Dec 2017 18:59, Maurice Kinal wrote to Benny Pedersen:   
      
    BP>> i cant get shorewall to play anymore on my fidobox, that was why   
    BP>> i liked to try move to nftables replament   
      
    MK> Okay.  From what I've read thus far it looks like nftables will    
    MK> replace iptables soon so it seems like a good time to make the switch.   
      
   yes depending on kernel .config   
      
    BP>> only if you know more then i do   
    MK> In this case, probably not.   
      
   i just like to convert this below to nftable   
      
      ----- rules-save begins -----   
   # Generated by iptables-save v1.4.21 on Sat Dec 16 10:02:33 2017   
   *mangle   
   :PREROUTING ACCEPT [62190:54783976]   
   :INPUT ACCEPT [62190:54783976]   
   :FORWARD ACCEPT [0:0]   
   :OUTPUT ACCEPT [49555:3751838]   
   :POSTROUTING ACCEPT [49555:3751838]   
   [0:0] -A FORWARD -j MARK --set-xmark 0x0/0xff   
   COMMIT   
   # Completed on Sat Dec 16 10:02:33 2017   
   # Generated by iptables-save v1.4.21 on Sat Dec 16 10:02:33 2017   
   *nat   
   :PREROUTING ACCEPT [382:15480]   
   :INPUT ACCEPT [86:4696]   
   :OUTPUT ACCEPT [1545:124577]   
   :POSTROUTING ACCEPT [1545:124577]   
   COMMIT   
   # Completed on Sat Dec 16 10:02:33 2017   
   # Generated by iptables-save v1.4.21 on Sat Dec 16 10:02:33 2017   
   *raw   
   :PREROUTING ACCEPT [62190:54783976]   
   :OUTPUT ACCEPT [49555:3751838]   
   COMMIT   
   # Completed on Sat Dec 16 10:02:33 2017   
   # Generated by iptables-save v1.4.21 on Sat Dec 16 10:02:33 2017   
   *filter   
   :INPUT DROP [0:0]   
   :FORWARD DROP [0:0]   
   :OUTPUT DROP [0:0]   
   :NET-fw - [0:0]   
   :logflags - [0:0]   
   :reject - [0:0]   
   :sha-lh-ad7c3899204ae152301e - [0:0]   
   :sha-rh-20dc886819828aae726a - [0:0]   
   :shorewall - [0:0]   
   :tcpflags - [0:0]   
   [54566:54134736] -A INPUT -i eth1 -j NET-fw   
   [7624:649240] -A INPUT -i lo -j ACCEPT   
   [0:0] -A INPUT -m addrtype --dst-type BROADCAST -j DROP   
   [0:0] -A INPUT -m addrtype --dst-type ANYCAST -j DROP   
   [0:0] -A INPUT -m addrtype --dst-type MULTICAST -j DROP   
   [0:0] -A INPUT -g reject   
   [0:0] -A FORWARD -m addrtype --dst-type BROADCAST -j DROP   
   [0:0] -A FORWARD -m addrtype --dst-type ANYCAST -j DROP   
   [0:0] -A FORWARD -m addrtype --dst-type MULTICAST -j DROP   
   [0:0] -A FORWARD -g reject   
   [41930:3102522] -A OUTPUT -o eth1 -j ACCEPT   
   [7624:649240] -A OUTPUT -o lo -j ACCEPT   
   [0:0] -A OUTPUT -m addrtype --dst-type BROADCAST -j DROP   
   [0:0] -A OUTPUT -m addrtype --dst-type ANYCAST -j DROP   
   [0:0] -A OUTPUT -m addrtype --dst-type MULTICAST -j DROP   
   [0:0] -A OUTPUT -g reject   
   [53442:53924218] -A NET-fw -p tcp -j tcpflags   
   [54181:54119136] -A NET-fw -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT   
   [86:4696] -A NET-fw -p tcp -m tcp --dport 24554 -j ACCEPT   
   [299:10904] -A NET-fw -j DROP   
   [0:0] -A logflags -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 10   
   --hashlimit-mode srcip --hashlimit-name lograte -j LOG --log-prefix "logflags   
   DROP " --log-level 6 --log-ip-options   
   [0:0] -A logflags -j DROP   
   [0:0] -A reject -m addrtype --src-type BROADCAST -j DROP   
   [0:0] -A reject -s 224.0.0.0/4 -j DROP   
   [0:0] -A reject -p igmp -j DROP   
   [0:0] -A reject -p tcp -j REJECT --reject-with tcp-reset   
   [0:0] -A reject -p udp -j REJECT --reject-with icmp-port-unreachable   
   [0:0] -A reject -p icmp -j REJECT --reject-with icmp-host-unreachable   
   [0:0] -A reject -j REJECT --reject-with icmp-host-prohibited   
   [0:0] -A shorewall -m recent --set --name %CURRENTTIME --mask 255.255.255.255   
   --rsource   
   [0:0] -A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG   
   FIN,PSH,URG -g logflags   
   [0:0] -A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g   
   logflags   
   [0:0] -A tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g logflags   
   [0:0] -A tcpflags -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -g logflags   
   [0:0] -A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g logflags   
   [0:0] -A tcpflags -p tcp -m tcp --tcp-flags FIN,PSH,ACK FIN,PSH -g logflags   
   [0:0] -A tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g   
   logflags   
   COMMIT   
   # Completed on Sat Dec 16 10:02:33 2017   
      ----- rules-save ends -----   
      
   very basic config for iptables   
      
      
    Regards Benny   
      
   ... there can only be one way of life, and it works :)   
      
   --- Msged/LNX 6.2.0 (Linux/4.14.6-gentoo (i686))   
    * Origin: I will always keep a PC running CPM 3.0 (2:230/0)   

[   << oldest   |   < older   |   list   |   newer >   |   newest >>   ]


(c) 1994,  bbs@darkrealms.ca