hello; reply below. On 6/21/05, /dev/rob0 <rob0@xxxxxxxxx> wrote: > On Monday 20 June 2005 15:47, terry l. ridder wrote: > > > In the meantime I bet a few external nmap's of your IP would > > > give you some unpleasant surprises. you made the above comment did you not? you implied that my network was not secured. > > > > you lose the bet. > > since you did not have the courage to post the results of an nmap of > > my network, i will. > > > > please see http://uuoc.com/?id=953 for the results of an external > > nmap of my network, 204.238.34.0/24. > > Lack of courage, lack of interest, lack of will to be your unpaid > security analyst, whatever. It's remarkable that you found that nmap > acceptable, neither unpleasant nor surprising. > i see, yet you make unfounded statements which i quote below: > > > In the meantime I bet a few external nmap's of your IP would > > > give you some unpleasant surprises. > > You certainly have won your arguments! People point to specific > documented examples of why you're wrong, and you insist otherwise. > Indeed I am convinced: writing to you is a waste of my time. Your > arguments have been very persuasive in that regard. > you should really read the Iptables Tutorial 1.1.19 written by Oskar Andreasson located at http://iptables-tutorial.frozentux.net/iptables-tutorial.html since you may not read it, i will quote a few parts. <begin quote> 6.2. Tables The nat table is used mainly for Network Address Translation. "NAT"ed packets get their IP addresses altered, according to our rules. Packets in a stream only traverse this table once. We assume that the first packet of a stream is allowed. The rest of the packets in the same stream are automatically "NAT"ed or Masqueraded etc, and will be subject to the same actions as the first packet. These will, in other words, not go through this table again, but will nevertheless be treated like the first packet in the stream. <end quote> did you catch that last sentence? since the the first packet in the stream is dropped the rest of the packets in the same stream are also dropped. <begin quote> This is the main reason why you should not do any filtering in this table, which we will discuss at greater length further on. The PREROUTING chain is used to alter packets as soon as they get in to the firewall. The OUTPUT chain is used for altering locally generated packets (i.e., on the firewall) before they get to the routing decision. Finally we have the POSTROUTING chain which is used to alter packets just as they are about to leave the firewall. <end quote> 7.2.10. PREROUTING chain of the nat table The PREROUTING chain should not be used for any filtering since, among other things, this chain is only traversed by the first packet in a stream. The PREROUTING chain should be used for network address translation only, unless you really know what you are doing. -- terry l. ridder ><>
