Network intrusion detection systems rely on one, or more means of traffic analysis in order to determine whether or not a given stream of network traffic is suspicious. Network analysts, and system administrators can make use of stateless traffic filters to help them understand what is going on inside of their network(s), where such filters can be used for traffic inspection, filtering, and shaping.
This program generates an iptables firewall script for use with the 2.4 or later linux kernel. It is intended for use on a single system connected to the Internet or a gateway system for a private, internal network. It provides a range of options, but is not intended to cover every possible situation. Make sure you understand what each option in the generator does and take the time to read the comments in the resulting firewall. This generator will not, for example, generate a firewall suitable for use with a DMZ, but it can provide a starting point. For the most common uses the generator should produce a firewall ready for use.
The PC Engines WRAP system board gives network OEMs a cost-effective SBC platform for their value-added software, such as wireless routers, firewalls, load balancers, VPN, industrial Ethernet, or other special purpose network devices. || WRAP is END OF LIFE, as the AMD SC1100 CPU is no longer available. || Besoin de garder la doc sous la main, pour en avoir récupéré quelques un
"NFTables is queued up for merging into the Linux 3.13 kernel. NFTables is a four-year-old project by the creators of Netfilter to write a new packet filtering / firewall engine for the Linux kernel to deprecate iptables (though it now offers an iptables compatibility layer too). NFTables promises to be more powerful, simpler, reduce code complication, improve error reporting, and provide more efficient handling of packet filter rules. The code was merged into net-next for the Linux 3.13 kernel. Iptables will still be present until NFTables is finished, but it is possible to try it out now. LWN also has a writeup on NFTables."
https://home.regit.org/netfilter-en/nftables-quick-howto/
http://lwn.net/Articles/324989/
husk is a natural language wrapper around the Linux iptables packet filtering engine (iptables).
It is designed to abstract the sometimes confusing syntax of iptables, allowing use of rules that have better readability, and expressed in a more 'freeform' fashion compared to normal 'raw' iptables rules.
husk can be used on either firewall/router computers (with multiple network interfaces), or standalone systems (with one network interface)
Each interface (real or virtual) is called a 'zone' in husk. Zones are given a friendly name which is what is used in the rule definitions. This abstracts the Linux device names (eg, eth0, ppp0, bond0 etc) into much more intuitive names such as NET, LAN and DMZ. This has the added benefit of moving interfaces in the future can be done simply by changing the name-to-device mapping.
A Stateful Packet Inspection (SPI) firewall, Login/Intrusion Detection and Security application for Linux servers.
A few terminal commands later to reject certain IP addresses and I was back to blazingly fast Youtube streaming (and Twitch.tv). Doing this will cause the stream to take 1-2 seconds to start because of the IP rejection handling, but then you are greeted with a silky smooth, ultra fast experience.
Open up your terminal and run these commands (you will be prompted for the admin password):
sudo ipfw add reject src-ip 173.194.55.0/24 in
sudo ipfw add reject src-ip 206.111.0.0/16 in
========
à adapter à vôtre iptables/ferm/shorewall/arno etc
Shorewall Traffic Shaping
Traffic shapping avec shorewall