The errata list is a list of errors and their corrections that were found after the product was released. If the error was corrected in a later version or reprint the date of the correction will be displayed in the column titled "Date Corrected".
The following errata were submitted by our customers and approved as valid errors by the author or editor.
Color key: Serious technical mistake Minor technical mistake Language or formatting error Typo Question Note Update
| Version |
Location |
Description |
Submitted By |
Date submitted |
Date corrected |
| Printed |
Page 86
Under the "order" subhead |
The first instance of "hosts for lookups in /etc/hosts" is now the
same font as "bind" and "nis" elsewhere in the paragraph.
|
Anonymous |
|
Nov 01, 2000 |
| Printed |
Page 91
The references to the resolv.conf option "name server" have been |
changed to refer to "nameserver" (no space). The same occurs on page 92.
|
Anonymous |
|
Nov 01, 2000 |
| Printed |
Page 152
The citation for |
Building Internet Firewalls
now reads:
By Elizabeth D. Zwicky, Simon Cooper, and D. Brent Chapman
[Appendix C] The following two URLs have been changed to reflect the second
edition.
http://www.oreilly.com/catalog/linag/
now reads:
http://www.oreilly.com/catalog/9781565924000/
and
http://www.oreilly.com/catalog/linag/licenseinfo.html
now reads:
http://www.oreilly.com/catalog/9781565924000/licenseinfo.html
|
Anonymous |
|
Oct 01, 2000 |
| Printed |
Page 183 & 191-192
|
iptables now appears not to possess the -C argument, it must have been removed
|
Anonymous |
|
|
| Printed |
Page 189
In Table 9.3 and in the text the description of passive mode |
for FTP is incorrect.
The problem is with the choice of example. FTP is one of those protocols
that cannot be configured using very tight and specific filtering rules.
The safest way to handle FTP with IP Chains is to use the special
dynamically loadable "masquerading" module for handling FTP.
[192] In Chapter 9 (TCP/IP Firewall), there is an ipchains example under
A Sample Firewall Configuration. The example contains several errors.
A proposed changed example follows:
#!/bin/bash
##########################################################################
# IPCHAINS VERSION
# This sample configuration is for a single host firewall configuration
# with no services supported by the firewall machine itself.
##########################################################################
# USER CONFIGURABLE SECTION
# The name and location of the ipchains utility.
IPCHAINS=ipchains
# The path to the ipchains executable.
PATH="/sbin"
# Our internal network address space and its supporting network device.
OURNET="172.29.16.0/24"
OURBCAST="172.29.16.255"
OURDEV="eth0"
# The outside address and the network device that supports it.
ANYADDR="0/0"
ANYDEV="eth1"
# The TCP services we wish to allow to pass - "" empty means all ports
# note: space separated
TCPIN="smtp www"
TCPOUT="smtp www ftp ftp-data irc"
# The UDP services we wish to allow to pass - "" empty means all ports
# note: space separated
UDPIN="domain"
UDPOUT="domain"
# The ICMP services we wish to allow to pass - "" empty means all types
# ref: /usr/include/netinet/ip_icmp.h for type numbers
# note: space separated
ICMPIN="0 3 11"
ICMPOUT="8 3 11"
# Logging; uncomment the following line to enable logging of datagrams
# that are blocked by the firewall.
# LOGGING=1
# END USER CONFIGURABLE SECTION
##########################################################################
# Flush the Input table rules
$IPCHAINS -F input
# We want to DENY incoming access by default.
$IPCHAINS -P input DENY
# SPOOFING
# We should not ACCEPT any datagrams with a source address matching ours
# from the outside, so we DENY them.
$IPCHAINS -A input -s $OURNET -i $ANYDEV -j DENY
# SMURF
# Disallow ICMP to our broadcast address to prevent "Smurf" style attack.
$IPCHAINS -A input -p icmp -i $ANYDEV -d $OURBCAST -j DENY
# We should ACCEPT fragments, in ipchains we must do this explicitly.
$IPCHAINS -A input -f -j ACCEPT
for i in $TCPIN
do
# TCP
# We will ACCEPT all TCP datagrams belonging to an existing connection
# (i.e. having the ACK bit set) for the TCP ports we're allowing through.
# This should catch more than 95 % of all valid TCP packets.
$IPCHAINS -A input -p tcp -d $OURNET $i ! -y -b -j ACCEPT
# TCP - INCOMING CONNECTIONS
# We will ACCEPT connection requests from the outside only on the
# allowed TCP ports.
$IPCHAINS -A input -p tcp -i $ANYDEV -d $OURNET $i -y -j ACCEPT
done
# TCP - OUTGOING CONNECTIONS
# We ACCEPT all outgoing TCP connection requests on allowed TCP ports.
for i in $TCPOUT
do
$IPCHAINS -A input -p tcp -i $OURDEV -d $ANYADDR $i -y -j ACCEPT
done
# UDP - INCOMING
# We will allow UDP datagrams in on the allowed ports.
for i in $UDPIN
do
$IPCHAINS -A input -p udp -i $ANYDEV -d $OURNET $i -j ACCEPT
done
# UDP - OUTGOING
# We will allow UDP datagrams out on the allowed ports.
for i in $UDPOUT
do
$IPCHAINS -A input -p udp -i $OURDEV -d $ANYADDR $i -j ACCEPT
done
# ICMP - INCOMING
# We will allow ICMP datagrams in of the allowed types.
for i in $ICMPIN
do
$IPCHAINS -A input -p icmp -i $ANYDEV -d $OURNET $i -j ACCEPT
done
# ICMP - OUTGOING
# We will allow ICMP datagrams out of the allowed types.
for i in $ICMPOUT
do
$IPCHAINS -A input -p icmp -i $OURDEV -d $ANYADDR $i -j ACCEPT
done
# DEFAULT and LOGGING
# All remaining datagrams fall through to the default
# rule and are dropped. They will be logged if you've
# configured the LOGGING variable above.
#
if [ "$LOGGING" ]
then
# Log barred TCP
$IPCHAINS -A input -p tcp -l -j REJECT
# Log barred UDP
$IPCHAINS -A input -p udp -l -j REJECT
# Log barred ICMP
$IPCHAINS -A input -p icmp -l -j REJECT
fi
#
# end.
|
Anonymous |
|
|
| Printed |
Page 204
1st paragraph, third sentence |
Since all of these services are TCB-based
should be:
Since all of these services are TCP-based
|
Anonymous |
|
|
| Printed |
Page 216
In the second full paragraph, the authors list the set of two |
commands needed to enable IP masquerading in the kernel. The second set
describes how to do it with the ipchains command under 2.2.x kernels.
The syntax (as printed) of the first command was:
# ipchains -P forward -j deny
This is a minor syntax error which produces the following error:
ipchains: -P requires a chain and a policy
Try 'ipchains -h' or 'ipchains --help' for more information.
The book now reads:
# ipchains -P forward DENY
|
Anonymous |
|
Nov 01, 2000 |