Linux Firewalls: Errata List
Page 23 (thanks to Tessio F.): The -s $INT_NET criteria for the ACCEPT rule for SSH traffic is redundant (although it doesn't harm anything). In addition, there should be an additional rule in the ACCEPT section to accept traffic from the loopback interface:
$IPTABLES -A INPUT -i lo -j ACCEPT
NOTE: The following errors have been corrected in the second printing of the
Linux Firewalls book, which is available as of May, 2008 at amazon.com and at bookstores
such as Barnes and Noble.
Pages 24-26 (thanks to Rik Farrow): There should be two additional iptables rules to allow DNS zone transfer queries (over tcp/53) to be initiated from the iptables firewall system or from the internal network. These rules are as follows, and have been integrated with the iptables.sh script:
$IPTABLES -A OUTPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 53 -m state --state NEW -j ACCEPT
Page 174 (thanks to Harvey Muller): The "-D" should be "-I"
in this iptables command listing:
[iptablesfw]# iptables -D INPUT 1 -i lo -d 127.0.0.2 -m string --string
"testing " --algo bm -j ACCEPT
Page 249 (thanks to William Leemans): The string "INPUT -m state"
should be "INPUT 1 -m state" in the first iptables command listing:
[root@spaserver ~]# iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Page 249 (thanks to William Leemans): The time stamp
"Oct 18 15:48:08" should be "Oct 18 15:48:38" in the last code listing:
Oct 18 15:48:08 spaserver knoptm: removed iptables FWKNOP_INPUT_ACCEPT
rule for 204.23.X.X -> tcp/22, 30 second timeout exceeded
Please email me if you discover an error within the book " Linux Firewalls: Attack Detection and Response with iptables, psad, and fwsnort" so that I can add it to this page.
If you would like to discuss a technical point in the book that is not a result of a mistake or technical error, you can always post your query to one of the following mailing lists (and you are always welcome to email me directly if you prefer):
- psad mailing list - A list for the discussion of iptables log analysis and any topic related to the psad project.
- fwsnort mailing list - Dedicated to the discussion of fwsnort and the combination of signature based intrusion detection and iptables policies.
- fwknop mailing list - Dedicated to the discussion of the fwknop project, Single Packet Authorization (SPA), and the advantages the combination of a default-drop packet filter and a packet sniffer can provide to network services.
