Khawk13: /* Introduction */

2010-08-28T20:03:32Z

Introduction

Khawk13: New page: ==Introduction== For a much slimmer foot print out there, I'd recommend the following modifications (still testing). There have been a number of changes to the way processes are listening...

2010-08-28T20:01:45Z

New page: ==Introduction== For a much slimmer foot print out there, I'd recommend the following modifications (still testing). There have been a number of changes to the way processes are listening...

New page

==Introduction==

For a much slimmer foot print out there, I'd recommend the following modifications (still testing). There have been a number of changes to the way processes are listening and how they are limited across the various versions of WebOS. The latest is closed down somewhat tighter than the initial releases. However, it you're like me, and believe that your phone shouldn't be offering up any services at all to the Internet, the below modifications to the stock iptables config will help make a much less accessible phone.

==/etc/pmnetconfig/iptables-common.config==
<pre># Generated by iptables-save v1.4.2 on Mon Jun 29 14:11:31 2009
*nat
:PREROUTING ACCEPT [2:696]
:POSTROUTING ACCEPT [44:2752]
:OUTPUT ACCEPT [44:2752]
COMMIT
# Completed on Mon Jun 29 14:11:31 2009
# Generated by iptables-save v1.4.2 on Mon Jun 29 14:11:31 2009
*mangle
:PREROUTING ACCEPT [922:161037]
:INPUT ACCEPT [920:160341]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [964:158847]
:POSTROUTING ACCEPT [964:158847]
COMMIT
# Completed on Mon Jun 29 14:11:31 2009
# Generated by iptables-save v1.4.2 on Mon Jun 29 14:11:31 2009
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [964:158847]
:ALLOWED_PACKETS - [0:0]
:ICMPFLOOD - [0:0]
:INVALID_PACKETS - [0:0]
-A FORWARD -m state --state INVALID -j INVALID_PACKETS
-A INPUT -i lo -j ALLOWED_PACKETS
-A INPUT -s 127.0.0.0/8 -i ! lo -j INVALID_PACKETS
-A INPUT -p tcp -m tcp --dport 113 --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j REJECT --reject-with tcp-reset
-A INPUT -i bridge0 -p tcp -m tcp --dport 4444:4445 -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ALLOWED_PACKETS
-A INPUT -i bridge0 -j ALLOWED_PACKETS
-A INPUT -i usb0 -j ALLOWED_PACKETS
-A INPUT -m limit --limit 3/sec -j LOG --log-prefix "IPT_PACKET_DROPPED_NO_MATCH: " --log-level 7
-A INPUT -j QUEUE
-A ALLOWED_PACKETS -j ACCEPT
-A ICMPFLOOD -m recent --set --name ICMP --rsource
-A ICMPFLOOD -m recent --update --seconds 1 --hitcount 6 --rttl --name ICMP --rsource -m limit --limit 1/sec --limit-burst 1 -j LOG --log-prefix "IPT_ICMPFLOOD: "
-A ICMPFLOOD -m recent --update --seconds 1 --hitcount 6 --rttl --name ICMP --rsource -j DROP
-A ICMPFLOOD -j ALLOWED_PACKETS
-A INVALID_PACKETS -m limit --limit 1/sec --limit-burst 100 -j LOG --log-prefix "IPT_INVALID_PACKETS_DROPPED: "
-A INVALID_PACKETS -j DROP
COMMIT
# Completed on Mon Jun 29 14:11:31 2009</pre>
==/etc/pmnetconfig/iptables-default.config==
<pre>
iptables -I INPUT 24 -m limit --limit 3/sec -j LOG --log-prefix "IPT_PACKET_DROPPED_NO_MATCH: " --log-level 7
</pre>
==/etc/pmnetconfig/iptables-usbnetmode.config==
<pre>
#This file left blank.
</pre>

@@ Line 1: / Line 1: @@
 ==Introduction==
 For a much slimmer foot print out there, I'd recommend the following modifications (still testing). There have been a number of changes to the way processes are listening and how they are limited across the various versions of WebOS. The latest is closed down somewhat tighter than the initial releases. However, it you're like me, and believe that your phone shouldn't be offering up any services at all to the Internet, the below modifications to the stock iptables config will help make a much less accessible phone.
 ==/etc/pmnetconfig/iptables-common.config==

Research iptables configuration recommendations - Revision history

Khawk13: /* Introduction */

Khawk13: New page: ==Introduction== For a much slimmer foot print out there, I'd recommend the following modifications (still testing). There have been a number of changes to the way processes are listening...