[gentoo-embedded] Using iptables alone without shorewall/firehol

[gentoo-embedded] Using iptables alone without shorewall/firehol

[Sebastian Rodriguez]

[-- Attachment #1: Type: text/plain, Size: 399 bytes --]

Hello,
I am considering the option of using gnap, as my currently router / fw is a 
gentoo box. The "problem" is that actually I don't use shorewall, neither 
firehol. I just start my script at boot, and everything is great. I just 
want to know if we can unable shorewall and firehol and use iptables alone. 
If it is possible, how do we do it?
Thank you very much
-- 
Sébastien Rodriguez

[-- Attachment #2: Type: text/html, Size: 445 bytes --]

Re: [gentoo-embedded] Using iptables alone without shorewall/firehol

[Thierry Carrez]

Sebastian Rodriguez wrote:
> 
> Hello,
> I am considering the option of using gnap, as my currently router / fw
> is a gentoo box. The "problem" is that actually I don't use shorewall,
> neither firehol. I just start my script at boot, and everything is
> great. I just want to know if we can unable shorewall and firehol and
> use iptables alone. If it is possible, how do we do it?

If you have USE_FW=no, GNAP won't start shorewall or firehol. You can
add extra startup init scripts using START_SERVICES (for example
START_SERVICES="iptables").

Hope this helps...

-- 
Koon
-- 
gentoo-embedded@gentoo.org mailing list

Re: [gentoo-embedded] Using iptables alone without shorewall/firehol

[Sebastian Rodriguez]

[-- Attachment #1: Type: text/plain, Size: 941 bytes --]

yes it helps of course, the thing is: by default iptables doesnt start wit 
gnap? Oo as shorewall adn firehol are based on iptables I tought it would 
start at boot

On 7/14/05, Thierry Carrez <koon@gentoo.org> wrote:
> 
> Sebastian Rodriguez wrote:
> >
> > Hello,
> > I am considering the option of using gnap, as my currently router / fw
> > is a gentoo box. The "problem" is that actually I don't use shorewall,
> > neither firehol. I just start my script at boot, and everything is
> > great. I just want to know if we can unable shorewall and firehol and
> > use iptables alone. If it is possible, how do we do it?
> 
> If you have USE_FW=no, GNAP won't start shorewall or firehol. You can
> add extra startup init scripts using START_SERVICES (for example
> START_SERVICES="iptables").
> 
> Hope this helps...
> 
> --
> Koon
> --
> gentoo-embedded@gentoo.org mailing list
> 
> 


-- 
Sébastien Rodriguez

[-- Attachment #2: Type: text/html, Size: 1301 bytes --]

Re: [gentoo-embedded] Using iptables alone without shorewall/firehol

[Thierry Carrez]

Sebastian Rodriguez wrote:
> yes it helps of course, the thing is: by default iptables doesnt start
> wit gnap? Oo as shorewall adn firehol are based on iptables I tought it
> would start at boot

USE_FW=yes will add iptables + shorewall (or firehol) to the runlevel.

With USE_FW=no you won't have any of them.

So if you so USE_FW=no and START_SERVICES="iptables" you will start
iptables without starting shorewall/firehol, which seems to be what you
want to do.

-- 
Koon
-- 
gentoo-embedded@gentoo.org mailing list

Re: [gentoo-embedded] Using iptables alone without shorewall/firehol

[Sebastian Rodriguez]

[-- Attachment #1: Type: text/plain, Size: 764 bytes --]

yes, thats exactly what I wanted to know ^^
I am going to install gnap on my wrap this week-end.

On 7/14/05, Thierry Carrez <koon@gentoo.org> wrote:
> 
> Sebastian Rodriguez wrote:
> > yes it helps of course, the thing is: by default iptables doesnt start
> > wit gnap? Oo as shorewall adn firehol are based on iptables I tought it
> > would start at boot
> 
> USE_FW=yes will add iptables + shorewall (or firehol) to the runlevel.
> 
> With USE_FW=no you won't have any of them.
> 
> So if you so USE_FW=no and START_SERVICES="iptables" you will start
> iptables without starting shorewall/firehol, which seems to be what you
> want to do.
> 
> --
> Koon
> --
> gentoo-embedded@gentoo.org mailing list
> 
> 


-- 
Sébastien Rodriguez

[-- Attachment #2: Type: text/html, Size: 1108 bytes --]

Re: [gentoo-embedded] Using iptables alone without shorewall/firehol

[Sebastian Rodriguez]

[-- Attachment #1: Type: text/plain, Size: 1361 bytes --]

Well, I am tryng the isntall, but what you said is wrong:

"USE_FW Set to yes to have a firewall script run at startup. See FW_TYPE 
option. Note that you should overlay files in the etc/shorewall or 
etc/firehol directory to configure non-default options."
So ok, I say no, but in FW_TYPE I cant chosse "no", so shorewall is going to 
run by default with defaul values, Thing I don't want
So someone has an idea?

On 7/14/05, Sebastian Rodriguez <sniper.mdr@gmail.com> wrote:
> 
> yes, thats exactly what I wanted to know ^^
> I am going to install gnap on my wrap this week-end.
> 
> On 7/14/05, Thierry Carrez <koon@gentoo.org> wrote: 
> > 
> > Sebastian Rodriguez wrote:
> > > yes it helps of course, the thing is: by default iptables doesnt start 
> > 
> > > wit gnap? Oo as shorewall adn firehol are based on iptables I tought 
> > it
> > > would start at boot
> > 
> > USE_FW=yes will add iptables + shorewall (or firehol) to the runlevel.
> > 
> > With USE_FW=no you won't have any of them. 
> > 
> > So if you so USE_FW=no and START_SERVICES="iptables" you will start
> > iptables without starting shorewall/firehol, which seems to be what you
> > want to do.
> > 
> > --
> > Koon
> > --
> > gentoo-embedded@gentoo.org mailing list
> > 
> > 
> 
> 
> -- 
> Sébastien Rodriguez 




-- 
Sébastien Rodriguez

[-- Attachment #2: Type: text/html, Size: 2332 bytes --]

Re: [gentoo-embedded] Using iptables alone without shorewall/firehol

[Thierry Carrez]

Sebastian Rodriguez wrote:

> Well, I am tryng the isntall, but what you said is wrong:
> 
> "USE_FW Set to yes to have a firewall script run at startup. See FW_TYPE
> option. Note that you should overlay files in the etc/shorewall or
> etc/firehol directory to configure non-default options."
> So ok, I say no, but in FW_TYPE I cant chosse "no", so shorewall is
> going to run by default with defaul values, Thing I don't want
> So someone has an idea?

Believe me. I wrote the damn thing.

USE_FW decides if you run a firewall script at startup. FW_TYPE decides
which script you run (if USE_FW=yes).

If you still don't believe me, look at the code :

if [ "${USE_FW}" == "yes" ]; then
  ln -snf "/etc/init.d/iptables" "/etc/runlevels/boot/iptables"
  if [ "${FW_TYPE}" == "firehol" ]; then
    ln -snf "/etc/init.d/firehol" "/etc/runlevels/default/firehol"
  else
    ln -snf "/etc/init.d/shorewall" "/etc/runlevels/default/shorewall"
  fi
  DONTDEPSCAN=0
fi

With USE_FW=no, you won't have iptables, you won't have shorewall, and
you won't have firehol. Whatever you put in FW_TYPE.

-- 
Thierry Carrez (Koon)
-- 
gentoo-embedded@gentoo.org mailing list

Re: [gentoo-embedded] Using iptables alone without shorewall/firehol

[Sebastian Rodriguez]

[-- Attachment #1: Type: text/plain, Size: 1444 bytes --]

Ok, sorry about that, but I wasn't sure.
I am going to do it lie you said. Thank for the explanations

On 7/15/05, Thierry Carrez <koon@gentoo.org> wrote:
> 
> Sebastian Rodriguez wrote:
> 
> > Well, I am tryng the isntall, but what you said is wrong:
> >
> > "USE_FW Set to yes to have a firewall script run at startup. See FW_TYPE
> > option. Note that you should overlay files in the etc/shorewall or
> > etc/firehol directory to configure non-default options."
> > So ok, I say no, but in FW_TYPE I cant chosse "no", so shorewall is
> > going to run by default with defaul values, Thing I don't want
> > So someone has an idea?
> 
> Believe me. I wrote the damn thing.
> 
> USE_FW decides if you run a firewall script at startup. FW_TYPE decides
> which script you run (if USE_FW=yes).
> 
> If you still don't believe me, look at the code :
> 
> if [ "${USE_FW}" == "yes" ]; then
> ln -snf "/etc/init.d/iptables" "/etc/runlevels/boot/iptables"
> if [ "${FW_TYPE}" == "firehol" ]; then
> ln -snf "/etc/init.d/firehol" "/etc/runlevels/default/firehol"
> else
> ln -snf "/etc/init.d/shorewall" "/etc/runlevels/default/shorewall"
> fi
> DONTDEPSCAN=0
> fi
> 
> With USE_FW=no, you won't have iptables, you won't have shorewall, and
> you won't have firehol. Whatever you put in FW_TYPE.
> 
> --
> Thierry Carrez (Koon)
> --
> gentoo-embedded@gentoo.org mailing list
> 
> 


-- 
Sébastien Rodriguez

[-- Attachment #2: Type: text/html, Size: 2027 bytes --]