Re: [gentoo-dev] NAT iptables info

Re: [gentoo-dev] NAT iptables info

[Sherman Boyd]

Not in agreement with what?  I'm simply asking a question.  I understand what you are saying, but I think you are still stuck on your original thread with the guy who actually wants a one button firewall.  You assume too much if you think that I am looking for the same thing.  Nobody wants to make gentoo into a zero knowledge distro, so it's real easy to score some cheap shots making comparisons to Microsoft and Redhat.  
 
Configuration is obviously in the domain of a package.  Ideally the default configuration is conservative and secure.  The fact is Gentoo is making policy decision every day, and even deals with optional configurations.  Take /etc/rc.d/config/basic where we have the choice of using either achim's, drobbin's or pete's favorite console fonts.  I like that.  Why?  Because even though I have a preference to what my console font is I really don't give damn.  I'm not going to waste too much time researching different console fonts.  So I really appreciate a suggested configuration.  This solution is cool, but it gets more complicated when we get into desktops.  So what I was suggesting was a higher level tool to handle configurations.  Should gentoo provide one default configuration for GNOME?  Or should there be a choice of configurations?  Maybe separation of installation and configuration would be a good thing?  I think a configuration tool moves toward gentoo's goal of being a meta-distribution.  
 
Now I'm not suggesting a configuration tool that can replace the need for manual configuration, at least in most cases.  Just a tool that can manage multiple optional configurations.  I'm with you when you say that an admin (or user) should understand netfilter before implementing it, and I disagree with the original poster who wants a easy (but insecure) way to NAT his network.  However there comes a time when you may want the benefit of someone else's experience.  You probably did not write a firewall script from scratch, or your XFree configuration, and on and on.  Chances are you used a suggested configuration that you modified to suit your purposes.
 
Anyway it is simply an idea, maybe even a bad one.  I'm not terribly attached to it.  I was hoping to open a logical discussion not some hot-blooded "debate".  Nobody is going to turn gentoo into a Mandrake or Redhat.  Documentation is a lot more important than optional configuration packages.  Please tone down the emotion and carefully consider what I am saying next time.  It sounds like we agree on a lot, and even if we disagree I think it is to everyone's advantage to keep an open mind.
 
-sherman
 
 

	-----Original Message-----
From: Donny Davies <woodchip@gentoo.org> 
Sent: Wednesday, October 03, 2001 12:35 PM
To: <gentoo-dev@cvs.gentoo.org>
Subject: [gentoo-dev] NAT iptables info



	Nope. Sorry. Im not in agreement in this at all. Of course, its open to debate, 
Im not saying I know everything, nor Im 100% right. Go ahead, debate away. 
But I dont want any part of it, Ill tell you that! 

	If you dont understand the ramnifications of packet filetering, NAT, etc then 
you have *no* business running this software. We are not Microsoft or Wingate, 
opening yuor machine to a wider world. 

	What if somebodys iptables script is made into an ebuild, and said script turns 
out to be flawed, perhaps seriously? Then its "hey, yeah those guys at gentoo 
have a firewall setup like swiss cheese.". What interfaces are yuo going to 
configure this ebuild for? eth0 and eth1? how about ppp? maybe an isdn 
interface? How do yuo choose? Im going to say this again, it is %100 
configuration. This is *not* the domain of a package. It is the domain of 
a system administrator. This is 1 file we're talking about here people, not 
a series of docs, scripts, config files. *most* of them anyway. There *are* 
some that come with external configs. But thats all beside the point. The 
script needs to be edited. This whole thing started because we basically had 
a post to the devel list of the flavour: "I need an iptables HOWTO". 

	What are you going to do about the kernel modules? Did you know that 
the netfilter modules are built at the kernel level? How are you going to 
DEPEND on that? 

	This is bad policy. A distribution should *not* be dictating *policy*. To 
not understand that is a big mistake. Listen, Redhat and Mandrake are 
the kinds of distros doing this stuff! Making Linux into a 1 click affair. 
This is not our primary intention. Not at this stage anyway! 

	So feel free to debate it all you want, I wont be having *any* part in it 
Ill tell you that! 

	Cheers! 
   
Donny 



	_______________________________________________ 
gentoo dev mailing list 
gentoo dev@cvs.gentoo.org 
http://cvs.gentoo.org/mailman/listinfo/gentoo dev 

RE: [gentoo-dev] NAT iptables info

[Sean Mitchell]

> From: Donny Davies [mailto:woodchip@gentoo.org]

> Nope. Sorry. Im not in agreement in this at all. Of course, 
> its open to debate,
> Im not saying I know everything, nor Im 100% right. Go ahead, 
> debate away.
> But I dont want any part of it, Ill tell you that!
> 
> If you dont understand the ramnifications of packet 
> filetering, NAT, etc then
> you have *no* business running this software. We are not 
> Microsoft or Wingate,
> opening yuor machine to a wider world.

<snip rest of post>

I have to agree in principle here, FWIW. The answer to this problem of
making the functionality available to everyone is to make sure things are
clearly and thoroughly documented. I think we are best served by following
the OpenBSD example of a secure default install and then let the users
change configuration to suit.

Cheers,

Sean

Re: [gentoo-dev] NAT iptables info

[Djamil ESSAISSI]

Alright;
Unfortunatly, life especially "buzness" is not about RIGHT or WRNG anymore[1],so even if i do I agree with you a 100% which is the case.
So as i said on [1] the right thing is not always the good thing, example: if you want to sell your wine [red wine] it has to taste good and give you a sweet buzz, and dont care if it's gonna gonna fuckup your liver or give a shit-face the next morning.

So i'm not saying "yeah lets get some quick and durty confs so ppl be happy ..."
no i prefer actually taking advantage of that need and set up actually rock solid confs Wich in my dreams will relsult in : As easy to use as wincrap [logical]AND running Linux.
So if you (we) are planning to deal/work/serve just Admins let me tell you i'm outa here 'cause there are  wayyyyyy to many ppl that are just hearing about linux and if you ,i mean we, misse these guys they gonna get picked up by f'redhat and the like, so 1) more ppl will be dumber and 2) less ppl will be interested in our shit. << that is not what we need, dont we ?
############
)> If you dont understand the ramnifications of packet 
:)> filetering, NAT, etc then
:)> you have *no* business running this software. We are not 
:)> Microsoft or Wingate,
#########################
what you see here is a typical fucked up reaction;
Mister is saying literally to somebody : "hey dumb ass you are too dumb to use our software !! get out !"
Is this how you get attention ? customers ? freinds ??
Braguers ! are we here to brag ?!or to proof something to Dady ? no ! were here to make It
,make good shit , and if no one uses it ,well too bad, i'll go back to LFS and my makefiles.


We have to understand that even charity organizations kiss asses to please their "customers" --have you ever seen a "charity organization rep." saying :"oh no that guy is a mobster ...we aint taking his money"

ps: Excuse my english,please.


:)
:)> From: Donny Davies [mailto:woodchip@gentoo.org]
:)
:)> Nope. Sorry. Im not in agreement in this at all. Of course, 
:)> its open to debate,
:)> Im not saying I know everything, nor Im 100% right. Go ahead, 
:)> debate away.
:)> But I dont want any part of it, Ill tell you that!
:)> 
:)> If you dont understand the ramnifications of packet 
:)> filetering, NAT, etc then
:)> you have *no* business running this software. We are not 
:)> Microsoft or Wingate,
:)> opening yuor machine to a wider world.
:)
:)<snip rest of post>
:)
:)I have to agree in principle here, FWIW. The answer to this problem of
:)making the functionality available to everyone is to make sure things
:)are
:)clearly and thoroughly documented. I think we are best served by
:)following
:)the OpenBSD example of a secure default install and then let the users
:)change configuration to suit.
:)
:)Cheers,
:)
:)Sean
:)
:)_______________________________________________
:)gentoo-dev mailing list
:)gentoo-dev@cvs.gentoo.org
:)http://cvs.gentoo.org/mailman/listinfo/gentoo-dev
:)


-- 
Djamil ESSAISSI
Tel:01.58.64.22.44 - Fax:01.58.64.26.81
System Administrateur / Support Technique
www.francexpress.com - www.serveur-express.com
Hébergement professionnel & Location de serveurs dédiés
Tel:01.58.64.26.44 Fax:01.58.64.26.81 djamil@francexpress.com

Re: [gentoo-dev] NAT iptables info

[Daniel Robbins]

On Thu, Oct 04, 2001 at 01:03:14PM +0200, Djamil ESSAISSI wrote:

> what you see here is a typical fucked up reaction; Mister is saying literally
> to somebody : "hey dumb ass you are too dumb to use our software !! get out
> !" Is this how you get attention ? customers ? freinds ??  Braguers ! are we
> here to brag ?!or to proof something to Dady ? no ! were here to make It
> ,make good shit , and if no one uses it ,well too bad, i'll go back to LFS
> and my makefiles.

> We have to understand that even charity organizations kiss asses to please
> their "customers" --have you ever seen a "charity organization rep." saying
> :"oh no that guy is a mobster ...we aint taking his money"

> ps: Excuse my english,please.

I'll excuse your English but not your swearing :)

The philosophy of Gentoo Linux is to make things easier to use with out "dumbing
down" the system for power users.  So the real answer is to find a way that we
can do both what Djamil and Donny suggest at the same time.  However, we are not
focusing on absolute newbies yet, so right now we want to make the experts and
the semi-knowledgable people happy at the same time.  That's what we'll do.

A lot of this can be solved by extensive documentation/comments about the basic
firewall setup.

-- 
Daniel Robbins					<drobbins@gentoo.org>
Chief Architect/President			http://www.gentoo.org 
Gentoo Technologies, Inc.			

Re: [gentoo-dev] NAT iptables info

[Nathaniel Grady]

(note: I havn't really been able to keep up completly with the thread - darn classes getting in the way of important stuff :)

I would have to argue that I believe an openBSDish secure by default is the best approach. Make the default install very secure - not allowing any sort of insecure password auths (non-ssl ftp pop3 and imap) and the shuch. Having config files in portage is a bad idea as it will cause the biggest security hole windows has - "gee, I pressed a button and it worked so it's good enouhg." This promotes a lack of understanding about what the user has done and therefore they would have trouble even knowing what exactally the were using to know what patches and security vunarablity reports applied to them. That dosn't mean we should leave a newbie floating. I really think good how-to's are the answer. A websight of "how to make an X with gentoo linux" sort of thing - step by step documents describing how to make a firewall/NAT applience with a modem or a cablemodem or a DSL line, how to set up secure imap and pop servers (ssl that is), how to set up a webserver. I think those three are probably where the biggest number of newbies are going to come from and it would be a waste if each one had to be walked through those first steps indivigually. The most important aspect of the guides would be *REFRENCES* - eg: "install the certificate by doing.... [see the wonderfull guides by john at http://... and the part of the OpenSSL manual at ... and ]." A lot of guides seem to have a list of refrences at the bottom but I think maybe a lot of newbies are intimitated by "for more info see the homepage of XXX." Insted relevant refrences to the section of the manual, similar guides writtin by other projects, etc... (Oh, and including commented example configurations and such is good too - the current gentoo build doc and such are really good about that allredy - i think a few more docs along those lines would be good) 

For example, looking at http://www.gentoo.org/doc/build.html, under 2. Booting there should be a line "By the way that prompt you're loking at is <a href=homepage>this program and the docs for it are <a href=program_docs> here </a>. The ISO was created with <a href=isolinux_homepage> isolinux. If you have problems you might want to glance at thier respective homepages to see if it's a known bug with your motherboard chipset...  or looking at the next section - the real power of html is that when it sais use modprobe you can have use <a href=modprobe_manpage>modprobe</a>! I think that's whats going to help newbies start to learn how to really use linux and go beyond the microsoft programed "gee, i clicked someting and it seems to serve webpages now... on to mail serving"

That said I want to say I really think the gentoo docs are excellant - some of the best i've seen of any distro. And drobbins articles on developerworks kick ass - really found them usefull myself :)  The openAFS doc i think is a model of how this sort of documentation for "newbies" should be produced. (newbies in quotes as non-newbies like me find is usefull as well).

in conclusion my main suggestion is that the current documentation trend (openafs, nvidia) is excellant and the only real change is maybe more hyperlinks to man pages, relevant sections of other guides sprinkled around the guides. If maintianers are intersted I'll start looking around suggestions of such links :)

Just my 2 cents

--Nathaniel Grady

ps: if nobody has taken it i'll offer to try and make a "making a simple firewall/nat with gentoo linux" oriented to newbies, but i only have a modem so i can't comment much on cable/dsl aside from "change ppp0 to ethX where X is the ethernet adapter your modem is connected to".... really, i can write better than this email would suggest *grin*

Re: [gentoo-dev] NAT iptables info

[Djamil ESSAISSI]

Alright sorry about the swearing, it's just that i deal with too many ppl that like to start with "you know i'm cool i HAVE linux  ... " and they dont even know how to create a makefile from scratch ... i'm just not very tolerant to arogant ppl.

My apologies again for the language.

:)focusing on absolute newbies yet, so right now we want to make the
:)experts and
:)the semi-knowledgable people happy at the same time.  That's what we'll
:)do.

This is very cool with me, so all is gonna be a matter of time -- as soon as i get some time i'll help, do we have some kinda o' TODO list laying around ? 


On Thu, 4 Oct 2001 13:28:29 -0600
Daniel Robbins <drobbins@gentoo.org> wrote:

:)On Thu, Oct 04, 2001 at 01:03:14PM +0200, Djamil ESSAISSI wrote:
:)
:)> what you see here is a typical fucked up reaction; Mister is saying
:)literally
:)> to somebody : "hey dumb ass you are too dumb to use our software !!
:)get out
:)> !" Is this how you get attention ? customers ? freinds ??  Braguers !
:)are we
:)> here to brag ?!or to proof something to Dady ? no ! were here to make
:)It
:)> ,make good shit , and if no one uses it ,well too bad, i'll go back to
:)LFS
:)> and my makefiles.
:)
:)> We have to understand that even charity organizations kiss asses to
:)please
:)> their "customers" --have you ever seen a "charity organization rep."
:)saying
:)> :"oh no that guy is a mobster ...we aint taking his money"
:)
:)> ps: Excuse my english,please.
:)
:)I'll excuse your English but not your swearing :)
:)
:)The philosophy of Gentoo Linux is to make things easier to use with out
:)"dumbing
:)down" the system for power users.  So the real answer is to find a way
:)that we
:)can do both what Djamil and Donny suggest at the same time.  However, we
:)are not
snip - snip -
:)
:)A lot of this can be solved by extensive documentation/comments about
:)the basic
:)firewall setup.
:)
:)-- 
:)Daniel Robbins					<drobbins@gentoo.org>
:)Chief Architect/President			http://www.gentoo.org 
:)Gentoo Technologies, Inc.			
:)
:)_______________________________________________
:)gentoo-dev mailing list
:)gentoo-dev@cvs.gentoo.org
:)http://cvs.gentoo.org/mailman/listinfo/gentoo-dev
:)


-- 
Djamil ESSAISSI
Tel:01.58.64.22.44 - Fax:01.58.64.26.81
System Administrateur / Support Technique
www.francexpress.com - www.serveur-express.com

Re: [gentoo-dev] NAT iptables info

[Daniel Robbins]

On Fri, Oct 05, 2001 at 11:56:09AM +0200, Djamil ESSAISSI wrote:

> This is very cool with me, so all is gonna be a matter of time -- as soon as
> i get some time i'll help, do we have some kinda o' TODO list laying around ? 

We use the dev-wiki for that.  Go to http://www.gentoo.org, and click on
dev-wiki :)

Best Regards,

-- 
Daniel Robbins					<drobbins@gentoo.org>
Chief Architect/President			http://www.gentoo.org 
Gentoo Technologies, Inc.			

[gentoo-dev] NAT iptables info

[Donny Davies]

Nope. Sorry. Im not in agreement in this at all. Of course, its open to debate,
Im not saying I know everything, nor Im 100% right. Go ahead, debate away.
But I dont want any part of it, Ill tell you that!

If you dont understand the ramnifications of packet filetering, NAT, etc then
you have *no* business running this software. We are not Microsoft or Wingate,
opening yuor machine to a wider world.

What if somebodys iptables script is made into an ebuild, and said script turns
out to be flawed, perhaps seriously? Then its "hey, yeah those guys at gentoo
have a firewall setup like swiss cheese.". What interfaces are yuo going to
configure this ebuild for? eth0 and eth1? how about ppp? maybe an isdn
interface? How do yuo choose? Im going to say this again, it is %100
configuration. This is *not* the domain of a package. It is the domain of
a system administrator. This is 1 file we're talking about here people, not
a series of docs, scripts, config files. *most* of them anyway. There *are*
some that come with external configs. But thats all beside the point. The
script needs to be edited. This whole thing started because we basically had
a post to the devel list of the flavour: "I need an iptables HOWTO".

What are you going to do about the kernel modules? Did you know that
the netfilter modules are built at the kernel level? How are you going to
DEPEND on that?

This is bad policy. A distribution should *not* be dictating *policy*. To
not understand that is a big mistake. Listen, Redhat and Mandrake are
the kinds of distros doing this stuff! Making Linux into a 1-click affair.
This is not our primary intention. Not at this stage anyway!

So feel free to debate it all you want, I wont be having *any* part in it
Ill tell you that!

Cheers!
--
Donny

Re: [gentoo-dev] NAT iptables info

[Michael M Nazaroff]

On Wednesday 03 October 2001 12:34 pm, you wrote:
Just to let everyone know I completely agree with Donny on this...Gentoo 
should be power house not dumbed down.

> Nope. Sorry. Im not in agreement in this at all. Of course, its open to
> debate, Im not saying I know everything, nor Im 100% right. Go ahead,
> debate away. But I dont want any part of it, Ill tell you that!
>
> If you dont understand the ramnifications of packet filetering, NAT, etc
> then you have *no* business running this software. We are not Microsoft or
> Wingate, opening yuor machine to a wider world.
>
> What if somebodys iptables script is made into an ebuild, and said script
> turns out to be flawed, perhaps seriously? Then its "hey, yeah those guys
> at gentoo have a firewall setup like swiss cheese.". What interfaces are
> yuo going to configure this ebuild for? eth0 and eth1? how about ppp? maybe
> an isdn interface? How do yuo choose? Im going to say this again, it is
> %100 configuration. This is *not* the domain of a package. It is the domain
> of a system administrator. This is 1 file we're talking about here people,
> not a series of docs, scripts, config files. *most* of them anyway. There
> *are* some that come with external configs. But thats all beside the point.
> The script needs to be edited. This whole thing started because we
> basically had a post to the devel list of the flavour: "I need an iptables
> HOWTO".
>
> What are you going to do about the kernel modules? Did you know that
> the netfilter modules are built at the kernel level? How are you going to
> DEPEND on that?
>
> This is bad policy. A distribution should *not* be dictating *policy*. To
> not understand that is a big mistake. Listen, Redhat and Mandrake are
> the kinds of distros doing this stuff! Making Linux into a 1-click affair.
> This is not our primary intention. Not at this stage anyway!
>
> So feel free to debate it all you want, I wont be having *any* part in it
> Ill tell you that!
>
> Cheers!

Re: [gentoo-dev] NAT iptables info

[Collins Richey]

On Wed, 3 Oct 2001 12:51:07 -0700 Michael M Nazaroff
<naz@themoonsofjupiter.et> wrote:

> On Wednesday 03 October 2001 12:34 pm, you wrote:
> Just to let everyone know I completely agree with Donny on
> this...Gentoo 
> should be power house not dumbed down.
> 
> > Nope. Sorry. Im not in agreement in this at all. Of course, its
> open to
> > debate, Im not saying I know everything, nor Im 100% right. Go
> ahead,
> > debate away. But I dont want any part of it, Ill tell you that!
> >
> > If you dont understand the ramnifications of packet filetering,
> NAT, etc
> > then you have *no* business running this software. We are not
> Microsoft or
> > Wingate, opening yuor machine to a wider world.
> >
> > What if somebodys iptables script is made into an ebuild, and said
> script
> > turns out to be flawed, perhaps seriously? Then its "hey, yeah
> those guys
> > at gentoo have a firewall setup like swiss cheese.". What
> interfaces are
> > yuo going to configure this ebuild for? eth0 and eth1? how about
> ppp? maybe
> > an isdn interface? How do yuo choose? Im going to say this again,
> it is
> > %100 configuration. This is *not* the domain of a package. It is
> the domain
> > of a system administrator. This is 1 file we're talking about here
> people,
> > not a series of docs, scripts, config files. *most* of them
> anyway. There
> > *are* some that come with external configs. But thats all beside
> the point.
> > The script needs to be edited. This whole thing started because we
> > basically had a post to the devel list of the flavour: "I need an
> iptables
> > HOWTO".
> >
> > What are you going to do about the kernel modules? Did you know
> that
> > the netfilter modules are built at the kernel level? How are you
> going to
> > DEPEND on that?
> >
> > This is bad policy. A distribution should *not* be dictating
> *policy*. To
> > not understand that is a big mistake. Listen, Redhat and Mandrake
> are
> > the kinds of distros doing this stuff! Making Linux into a 1-click
> affair.
> > This is not our primary intention. Not at this stage anyway!
> >
> > So feel free to debate it all you want, I wont be having *any*
> part in it
> > Ill tell you that!
> >

Yep, I agree too.  This really needs to be
documentation-documentation-documentation.  There should be HOWTOs
tailored to the gentoo way for most of the things everyone would like
to do.

-- 
Collins Richey
Denver Area
gentoo_rc6 xfce+sylpheed

RE: [gentoo-dev] NAT iptables info

[Sherman Boyd]

What about a configuration packages?  I think that the default settings of an ebuild should be conservative and secure, but when you start talking about ebuilds with lots of configuration options you see a need for a what Chad is talking about.  How about:
 
emerge rusty_impervious_firewall.x.y.z.econf
 
or maybe it should be a separate tool:
 
econfig tonys_sweet_gnome_setup.x.y.z.econf
 
That way we can keep configuration and installation in separation.
 
-sherman
 

	-----Original Message-----
From: Chad Huneycutt <chad.huneycutt@acm.org> 
Sent: Monday, October 01, 2001 7:30 PM
To: <gentoo-dev@cvs.gentoo.org>
Subject: Re: [gentoo-dev] NAT iptables info



	Donny Davies wrote: 

	>To provide some kind of gentoo firewall is, hmm, well silly. Its %100 
>configuration. This is not the domain of a 'package', 'rpm' or ebuild. 
> 
I don't completely agree with this.  While questions like "How do I set 
up a firewall?" are not completely germaine to this mailing list, the 
above statement is your opinion and open for discussion here.  I think 
that it is a very good idea to provide several basic scripts for common 
configurations.  If they are already out there, then great!, we should 
include them in an ebuild.  It is a much better policy to have the 
network default to a secure state (such as the Rusty's script that 
allows no incoming connections) than to leave it wide open, and let the 
potentially newbie sysadmin get hacked. 

	It would be nice to bring up a semi secure,  masquerading (or whatever 
they are calling it these days)  firewall box with little effort.  From 
there, one can learn about iptables and such things to customize it further. 

	Just some thoughts from someone who hasn't delved into iptables yet, 

	   Chad 


	_______________________________________________ 
gentoo dev mailing list 
gentoo dev@cvs.gentoo.org 
http://cvs.gentoo.org/mailman/listinfo/gentoo dev 

[gentoo-dev] NAT iptables info

[Donny Davies]

Please search freshmeat for iptables scripts. Please understand that they're
mostly just that-- scripts. Mostly they work top-down, with a few variables
you can edit applicable to your setup. Its easy enough to understand. There
are a zillion things you can do with the netfilter framework, its very robust.
To provide some kind of gentoo firewall is, hmm, well silly. Its %100
configuration. This is not the domain of a 'package', 'rpm' or ebuild. It is the
domain of a system administrator. If you are operating a Linux box then you
are automatically a system administrator. Cool huh!? :-)

This list is not the place for this type of stuff IHMO. This is not a howto-list.
I mean no disrespect. Please dont take any offense.

What gentoo provides is a nice framework for inserting your firewall script
into the init system. At least on rc5 there was an initfile specifically for that
purpose. Actually we neednt provide any more than just that! Ie: provide
a slot for a firewall script to run. I think the rc5 one ran after all non-local
interfaces were brought up, its been so long since I changed my firewall
box that I cant remember anymore :) The nice thing about that approach
is that you could always just source it, and run the function it was enclosed
in if you needed to run it again. Simple, slick, sufficient.

Please read up on packet filtering. Microsoft Internet Connection sharing
is not a simple hack. Its a lot of work to provide a simple, robust interface
to newbies who want to share an internet connection. I would remind you
that they basically *didnt* even write it. They bought out the company that
*did* write it. It used to be a product called NAT1000 for Windows NT,
and sure enough, it started to sell like hotcakes. Naturally, Micro$loth
being the anti-competitive juggernaut that it is, swallowed them up, and
started tossing it in with Windows 98 Second Edition.

There is simply sooo many different variants of these 'firewall scripts' on
freshmeat that it would be silly to try to come up with a 'here, this does it
for everybody'. It is the obligation of the system administrator. Again, like
I said, it is %100 configuration, with many peices in the *kernel*. This is
not the domain of a 'package'. If it helps you, Im personally using a
modified version of something I grabbed from freshmeat. Good Luck.

Of course Id be willing to send you a copy if you wish.

Cheers
--
Donny

Re: [gentoo-dev] NAT iptables info

[Chad Huneycutt]

Donny Davies wrote:

>To provide some kind of gentoo firewall is, hmm, well silly. Its %100
>configuration. This is not the domain of a 'package', 'rpm' or ebuild. 
>
I don't completely agree with this.  While questions like "How do I set 
up a firewall?" are not completely germaine to this mailing list, the 
above statement is your opinion and open for discussion here.  I think 
that it is a very good idea to provide several basic scripts for common 
configurations.  If they are already out there, then great!, we should 
include them in an ebuild.  It is a much better policy to have the 
network default to a secure state (such as the Rusty's script that 
allows no incoming connections) than to leave it wide open, and let the 
potentially newbie sysadmin get hacked.

It would be nice to bring up a semi-secure,  masquerading (or whatever 
they are calling it these days)  firewall box with little effort.  From 
there, one can learn about iptables and such things to customize it further.

Just some thoughts from someone who hasn't delved into iptables yet,

   Chad

Re: [gentoo-dev] NAT iptables info

[Djamil ESSAISSI]

I fortunatly know what u mean, so i give you as an example my little farm at home ...:
first you have to know: eth0 is hookedup to the DSLmodem
			eth1 is hookedup to the LAN
			ppp0 is the outside link (can be DSL , DIAL UP or even a VPN!)

adsl-start < the stuff of rp-dsl that comes with gentoo...

#Open tha door

route add -net 0.0.0.0 gw 62.4.19.XXX        < the IP on the PPP connection in my case it is static ;).

#Open sesame !

iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE           <  masquerade the bludy LAN thru ppp0
iptables        -A FORWARD     -i eth1 -j ACCEPT		< and do me some forwarding too coming from eth1 [remember eth1 is the LAN side]


#Get me FTP

iptables -t nat -A PREROUTING -p tcp -d 62.4.19.XXX/32 --dport 21 -j DNAT --to 192.168.0.2:21  <<< this is how i use a PIII500/512M as a web 
iptables -t nat -A PREROUTING -p tcp -d 62.4.19.XXX/32 --dport 20 -j DNAT --to 192.168.0.2:20  <<< ftp server behinde a good old p100 .


#Get me HTTP/S

iptables -t nat -A PREROUTING -p tcp -d 62.4.19.XXX/32 --dport 80 -j DNAT --to 192.168.0.2:80   <<<
iptables -t nat -A PREROUTING -p tcp -d 62.4.19.XXX/32 --dport 443 -j DNAT --to 192.168.0.2:443  <<<


#get me ssh

iptables -t nat -A PREROUTING -p tcp -d 62.4.19.XXX/32 --dport 24 -j DNAT --to 192.168.0.2:22 <<< or even use another port to open aonther ssh on the inside machine.


NOTE: there is no firewalling involved here !!! this makes it work only --- it doesnt protect any machine for example: if you got SUB7 on a win98 machine the Lame can get to you machine: but this set up is sweet when i run CS/HL server on an inside machine ...hard to beleive ! it WORKS !

BUT you still can protect it but blocking ports/ips ... good luck and be carefull.
NOTE also that this runs on gentoo so maybe i passed over some steps as they may have been already setup by default ...


grutz.


Djamil-