=== IP Sets
-The UCI firewall version 3 supports referencing or creating [[http:_ipset.netfilter.org/|ipsets]] to simplify matching of
+The UCI firewall version 3 supports referencing or creating http://ipset.netfilter.org/[ipsets] to simplify matching of
huge address or port lists without the need for creating one rule per item to match,
The following options are defined for _ipsets_:
When connection attempts are _dropped_ the client is not aware of the blocking and will continue to re-transmit its packets until the connection eventually times out. Depending on the way the client software is implemented, this could result in frozen or hanging programs that need to wait until a timeout occurs before they're able to continue.
-Also there is an interesting article which that claims dropping connections doesnt make you any safer - link:http:_www.chiark.greenend.org.uk/~peterb/network/drop-vs-reject[Drop versus Reject]
+Also there is an interesting article which that claims dropping connections doesnt make you any safer - link:http://www.chiark.greenend.org.uk/~peterb/network/drop-vs-reject[Drop versus Reject]
**DROP**
CAUTION: _NOTRACK_ will render certain ipables extensions unusable, for example the _MASQUERADE_ target or the _state_ match will not work!
-If connection tracking is required, for example by custom rules in '/etc/firewall.user', the 'conntrack' option must be enabled in the corresponding zone to disable _NOTRACK_. It should appear as 'option 'conntrack' '1' ' in the right zone in '/etc/config/firewall'. For further information see http:_security.maruhn.com/iptables-tutorial/x4772.html .
+If connection tracking is required, for example by custom rules in '/etc/firewall.user', the 'conntrack' option must be enabled in the corresponding zone to disable _NOTRACK_. It should appear as 'option 'conntrack' '1' ' in the right zone in '/etc/config/firewall'. For further information see http://security.maruhn.com/iptables-tutorial/x4772.html .
== Debug generated rule set
| {{:meta:icons:tango:48px-outdated.svg.png?nolink}} | In '/etc/config/system' 'busybox-rdate' (was invoked by scripts) has been replaced with 'busybox-nptd' (can run as a daemon) to avoid race condition and also to use current NTP. The remote time is since configured in '/etc/config/system' and not in '/etc/config/timeserver' any longer.
-* WARNING: Old scripts first checked if a lease time server is defined for the interface in the [[doc:uci:network|network config]].
-* WARNING: If not available or syncing fails, then it searches for time servers in the [[doc:uci:timeserver|timeserver config]] that are either explicitly defined for that interface or via the global setting in the system config.
+* WARNING: Old scripts first checked if a lease time server is defined for the interface in the network config.
+* WARNING: If not available or syncing fails, then it searches for time servers in the timeserver config that are either explicitly defined for that interface or via the global setting in the system config.
----
config 'timeserver' 'ntp'