Changeset 4660f56 for postlfs/security


Ignore:
Timestamp:
08/24/2023 02:26:54 PM (9 months ago)
Author:
Pierre Labastie <pierre.labastie@…>
Branches:
12.0, 12.1, ken/TL2024, ken/tuningfonts, lazarus, plabs/newcss, python3.11, rahul/power-profiles-daemon, renodr/vulkan-addition, trunk, xry111/llvm18
Children:
5a0c70cb
Parents:
746aa49
Message:

Drop multicast and broadcast packets in iptables

The reason is that our own box can output those kind of packets
rather frequently, and those packets immediately appear as
incoming. Since any non expected packet is logged, this clutters
the log. Dropping them in the "personal firewall" case is what is
wanted, but it has to be done before logging.

File:
1 edited

Legend:

Unmodified
Added
Removed

  • postlfs/security/iptables.xml

    r746aa49 r4660f56  
    286286iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
    287287
     288# Drop any incoming MULTICAST or BROADCAST packet before logging:
     289# The box outputs several of them when using netbios or mDNS, and those
     290# appear immediately as incoming, which clutters the log.
     291iptables -A INPUT -m addrtype --dst-type BROADCAST,MULTICAST -j DROP
     292
    288293# Log everything else.
    289294iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
Note: See TracChangeset for help on using the changeset viewer.