Linux Firewalls: Errata List
Pages 24-26 (thanks to Rik Farrow): There should be two additional iptables rules to allow DNS zone transfer queries (over tcp/53) to be initiated from the iptables firewall system or from the internal network. These rules are as follows, and have been integrated with the iptables.sh script:$IPTABLES -A OUTPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -p tcp --dport 53 -m state --state NEW -j ACCEPTPage 174 (thanks to Harvey Muller): The "-D" should be "-I" in this iptables command listing:
[iptablesfw]# iptables -D INPUT 1 -i lo -d 127.0.0.2 -m string --string "testing " --algo bm -j ACCEPTPage 249 (thanks to William Leemans): The string "INPUT -m state" should be "INPUT 1 -m state" in the first iptables command listing:
[root@spaserver ~]# iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPTPage 249 (thanks to William Leemans): The time stamp "Oct 18 15:48:08" should be "Oct 18 15:48:38" in the last code listing:
Oct 18 15:48:08 spaserver knoptm: removed iptables FWKNOP_INPUT_ACCEPT rule for \ 204.23.X.X -> tcp/22, 30 second timeout exceeded
Please email me if you discover an error within the book " Linux Firewalls: Attack Detection and Response with iptables, psad, and fwsnort" so that I can add it to this page.
If you would like to discuss a technical point in the book that is not a result of a mistake or technical error, you can always post your query to one of the following mailing lists (and you are always welcome to email me directly if you prefer):
- psad mailing list - A list for the discussion of iptables log analysis and any topic related to the psad project.
- fwsnort mailing list - Dedicated to the discussion of fwsnort and the combination of signature based intrusion detection and iptables policies.
- fwknop mailing list - Dedicated to the discussion of the fwknop project, Single Packet Authorization (SPA), and the advantages the combination of a default-drop packet filter and a packet sniffer can provide to network services.
