From: "Dave Nebinger" <dnebinger@joat.com>
To: <gentoo-user@lists.gentoo.org>
Subject: Re: [gentoo-user] Re: iptables example on Gentoo
Date: Fri, 09 Sep 2005 09:38:49 -0400 [thread overview]
Message-ID: <008801c5b543$d001c3a0$0a00a8c0@butthead> (raw)
In-Reply-To: F49BE7328A1DA246AFC5C2CDDB86D917DFAFCE@BCV0X134EXC0005
>> # Generated by iptables-save v1.3.2 on Thu Sep 8 12:32:48 2005
>> *nat
>> :PREROUTING ACCEPT [34942:3100331]
>> :POSTROUTING ACCEPT [106864:7597940]
>> :OUTPUT ACCEPT [106858:7597722]
>> :net_dnat - [0:0]
>> :w1ad_masq - [0:0]
>> -A PREROUTING -i w1ad -j net_dnat
>> -A POSTROUTING -o w1ad -j w1ad_masq
>> -A net_dnat -p udp -m multiport --dports
>
> What is the "[34942:3100331]" and "[106864:7597940]" references above?
Without specifying options to iptables-save, it includes the counters in the
format [packet-counter:byte-counter]. I don't use the counters myself, so I
don't really know for sure what purpose they serve (I'm sure the doco could
shed some light on it). My guess is that they are used for either QOS or
throttling or something.
>> These are all valid rules and are constructed by shorewall.
>> Would they be
>> the same if I hand-coded them? Absolutely not. I wouldn't
>> have so many
>> custom chains and would probably reorder the rules to give
>> priorities to
>> specific services.
>>
>> And, I would argue that whilst these rules are valid and do
>> perform the
>> firewall chores that I want/need, the format of the rules
>> would leave a lot
>> to be desired to try to maintain manually via the command line.
>
> If I understand this right: Shorewall, firehol, fwbuilder, etc.,
> 'just-works', but it kludges the iptables? Some of these 'helpers' may
> also require you to learn some additional scripting format other than
> the conventional iptables.
I don't think that 'kludges' is the right word for it.
When hand-coding iptables scripts, it makes sense to create custom chains to
organize your iptables script somewhat. Shorewall (and the others although
I'm not familiar with their direct interactions with iptables) does this as
well. The difficulty is that shorewall is capable of handling so many
different configurations. The various custom chains that it creates are
targeted towards someone that's using all of the various parts of shorewall;
when you scale back to a limited setup with a small set of logical rules,
shorewall still handles it easily but constructs all of the custom chains
and interlinkings that would be used in a more complex setup.
Which is why the iptables-save output I posted is a heck of a lot bigger
than what my logical set of rules contains.
> I guess that's similar to using some HTML
> WYSIWYG instead of hand coding it yourself.
That's a very good analogy, and more apropos to the actual output of
shorewall et. al. Although the output of the tool is functionaly similar to
what you would do by hand, it is typically more complicated and not close to
what you would have done hand-coding it.
--
gentoo-user@gentoo.org mailing list
next prev parent reply other threads:[~2005-09-09 13:43 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-09-06 17:22 [gentoo-user] iptables example on Gentoo James
2005-09-06 17:39 ` Dave Nebinger
2005-09-06 17:53 ` Holly Bostick
2005-09-06 18:25 ` [gentoo-user] " James
2005-09-06 19:04 ` Dave Nebinger
2005-09-06 20:00 ` James
2005-09-06 20:39 ` Dave Nebinger
2005-09-07 0:02 ` gentuxx
2005-09-07 1:20 ` W.Kenworthy
2005-09-07 13:08 ` Dave Nebinger
2005-09-07 17:06 ` James
2005-09-07 18:14 ` Holly Bostick
2005-09-07 19:11 ` James
2005-09-07 19:53 ` Dave Nebinger
2005-09-08 18:14 ` James
2005-09-08 19:30 ` kashani
2005-09-07 20:09 ` Holly Bostick
2005-09-07 18:40 ` gentuxx
2005-09-07 19:29 ` James
2005-09-07 19:56 ` gentuxx
2005-09-07 20:49 ` Dave Nebinger
2005-09-07 18:48 ` Dave Nebinger
2005-09-07 22:08 ` James
2005-09-07 23:51 ` gentuxx
2005-09-08 1:23 ` James
2005-09-08 9:20 ` Neil Bothwick
2005-09-08 17:43 ` James
2005-09-08 16:19 ` James
2005-09-08 16:42 ` Dave Nebinger
2005-09-09 9:44 ` Michael Kintzios
2005-09-09 13:38 ` Dave Nebinger [this message]
2005-09-08 17:35 ` Neil Bothwick
2005-09-09 0:52 ` Jerry McBride
2005-09-07 23:52 ` Rumen Yotov
2005-09-07 18:48 ` James
2005-09-07 19:44 ` [gentoo-user] " Bryan Whitehead
2005-09-08 1:34 ` [gentoo-user] " James
2005-09-08 15:37 ` Rumen Yotov
2005-09-09 11:19 ` [gentoo-user] " Timo Boettcher
2005-09-09 14:23 ` Dave Nebinger
2005-09-10 17:04 ` Timo Boettcher
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='008801c5b543$d001c3a0$0a00a8c0@butthead' \
--to=dnebinger@joat.com \
--cc=gentoo-user@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox