Re: doc: Secure use of iptables and connection tracking helpers

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Most of them have been fixed by Jan, I will have a cautious look.

Much better (in addition to what I posted previously) :-D :

p.1 "tranfers" should be "transfers"
p.1 "This system lays on parsing of data coming or from the user or from the server. It is thus subject to attack and this is necessary to take some protections when using connection tracking helpers" should be "The system relies on parsing of data coming either from the user or the server. It is, therefore, vulnerable and ("all the necessary precautions"/"great care") must be taken when using connection tracking helpers." p.1 "tracking helpers are thus dependent on" should be "tracking helpers are therefore dependent on" p.2 "and it is thus deactivated by default." should be "and it is therefore deactivated by default." p.2. "They permit to activate the extended but dangerous features of some protocols." should be "They permit activation of the extended, but dangerous, features of some protocols." p.3 "All iptables lines using “-m state --state RELATED” should be used in conjunction with the choice of a helper. Doing that, you " should be "The following iptables statement should be used in conjunction with the choice of a helper:- “-m state --state RELATED”. By doing that, you" p.4 "In particular, you have to do a strict anti-spoofing (has described below)" should be "In particular, you have to do strict anti-spoofing (as described below)" p.4 "For example, let’s say we have a FTP server at IP address 1.2.3.4 running on port 2121" should be "For example, let’s say we have FTP server running on IP address 1.2.3.4 and port 2121" p.4 "We thus recommand NOT to use module options any more, and use the CT target instead" should be "Therefore, the use of module options is NOT recommended any more - please use the CT target instead." p.4 "Each wanted helper use is then set by using a call to the CT target." should be "Each helper we need to use is then set by a call to the CT target." 


Arghh, the only one link I did not update after the renaming of the
file:
http://home.regit.org/wp-content/uploads/2011/11/secure-conntrack-helpers.pdf

I'm hidding...

No worries, I enjoyed reading this and it was educational for me too!

--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux