--- packet-filtering-HOWTO.sgml.orig Mon Apr 3 19:08:47 2000 +++ packet-filtering-HOWTO.sgml Mon Apr 3 20:37:56 2000 @@ -49,7 +49,7 @@ vulnerabilities to be aware of, in the hope that you will use them for good, and not evil purposes. Another equivalent problem. -Where is the official Web Site and List? +Where are the official Web Site and List?

There are three official sites: @@ -103,8 +103,8 @@ worried about the well-known `Ping of Death' coming in from malicious outsiders. As another example, you might not want outsiders telnetting to your Linux box, even though all your accounts have -passwords; maybe you want (like most people) to be an observer on the -Internet, and not a server (willing or otherwise) -- simply don't let +passwords. Maybe you want (like most people) to be an observer on the +Internet, and not a server (willing or otherwise). Simply don't let anyone connect in, by having the packet filter reject incoming packets used to set up connections. @@ -523,8 +523,8 @@

Usually it is regarded as safe to let second and further fragments -through, since filtering will effect the first fragment, and thus -prevent reassembly on the target host, however, bugs have been known +through, since filtering will affect the first fragment, and thus +prevent reassembly on the target host; however, bugs have been known to allow crashing of machines simply by sending fragments. Your call.

@@ -680,7 +680,7 @@ mac This module must be explicitly specified with `-m mac' or `--match mac'. It is used for matching incoming packet's source Ethernet (MAC) address, and thus only useful for packets traversing -the INPUT chain. It provides only one option: +the PREROUTING, INPUT and FORWARD chains. It provides only one option: --mac-source followed by an optional `!', then an @@ -1092,9 +1092,9 @@ Chain names can be up to 16 characters. - MASQ and REDIRECT are no longer targets; iptables doesn't do -packet mangling. There is a separate NAT subsystem for this: see the -ipnatctl HOWTO. + MASQ is now MASQUERADE and uses a different syntax. REDIRECT, +while keeping the same name, has also undergone a syntax change. See +the NAT-HOWTO for more information on how to configure both of these. Probably heaps of other things I forgot.