Re: iptables: blocking network access for certain UIDs gives error.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 2006-07-18 at 06:10 +0200, kmartin wrote:
> wow it works. that -D was the initial problem. i figured what i was
> typing would MAKE the rule. was guessing -D was for disallow or
> something...

No need to guess, there's man files that explain it.  You really do need
to read how to do something on a computer, rather than just fiddle
around, otherwise you're going to create problems.  Please read the man
file for "rm" before you use that command.

> so the rule was added but then when i logged in as that user, after
> entering the password it would hang for around 5 minutes before
> showing the desktop! i removed the rule w/ -D and it logged in fine.
> since the redhat notification icon couldn't connect to the internet, i
> removed that, then -A the rule. still hung.

Yes, a prolonged wait is a problem you'll get with using DROP instead of
REJECT.  Whatever tries to make a connection will wait until it gets a
response, *eventually* timing out when it doesn't get one.  It's not
going to get a response with a DROP rule, and the wait can be very long.
If you'd used a REJECT rule, it would have failed instantly.

Your vague rule would have dropped all outgoing traffic, which could
include things that work on the same box (outgoing doesn't necessarily
mean leaving the box, you can have outgoing connections on localhost).
You want to be more specific (such as applying the rule to a particular
interface, e.g. eth0, or a range of ports).  If you have a system with
centralised user authentication, you can't blandly block all traffic on
the network, you have to make a proper distinction between internal and
external.

-- 
(Currently running FC4, occasionally trying FC5.)

Don't send private replies to my address, the mailbox is ignored.
I read messages from the public lists.

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux