From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by nuthatch.gentoo.org with esmtp (Exim 4.43) id 1EDjAO-0003ke-E6 for garchives@archives.gentoo.org; Fri, 09 Sep 2005 13:43:44 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.13.4/8.13.4) with SMTP id j89Dd2bK002138; Fri, 9 Sep 2005 13:39:02 GMT Received: from vms048pub.verizon.net (vms048pub.verizon.net [206.46.252.48]) by robin.gentoo.org (8.13.4/8.13.4) with ESMTP id j89DZKGD021253 for ; Fri, 9 Sep 2005 13:35:20 GMT Received: from mail.joat.com ([71.114.131.89]) by vms048.mailsrvcs.net (Sun Java System Messaging Server 6.2 HotFix 0.04 (built Dec 24 2004)) with ESMTPA id <0IMJ00FWSXX7TUY0@vms048.mailsrvcs.net> for gentoo-user@lists.gentoo.org; Fri, 09 Sep 2005 08:39:08 -0500 (CDT) Received: from localhost (cornholio.joat.com [127.0.0.1]) by mail.joat.com (Postfix) with ESMTP id C7C9465DA for ; Fri, 09 Sep 2005 09:39:06 -0400 (EDT) Received: from mail.joat.com ([127.0.0.1]) by localhost (cornholio [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 23354-05 for ; Fri, 09 Sep 2005 09:38:50 -0400 (EDT) Received: from butthead (butthead.joat.com [192.168.0.10]) by mail.joat.com (Postfix) with ESMTP for ; Fri, 09 Sep 2005 09:38:50 -0400 (EDT) Date: Fri, 09 Sep 2005 09:38:49 -0400 From: "Dave Nebinger" Subject: Re: [gentoo-user] Re: iptables example on Gentoo To: Message-id: <008801c5b543$d001c3a0$0a00a8c0@butthead> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.2670 X-Mailer: Microsoft Outlook Express 6.00.2900.2670 Content-type: text/plain; format=flowed; charset=iso-8859-1; reply-type=original Content-transfer-encoding: 7bit X-Priority: 3 X-MSMail-priority: Normal DomainKey-Signature: a=rsa-sha1; b=l6ZBytMCYIb2HRFVA50nZVK7uOQPJGddO7yp60wwmXxqYYq52zBFq5Wj4FO/3s47SInzeMzA2kLeyYoFsz6KwfXQEZEX8b3av/w7IhaY/E9GzizWvrZq4d1SUcIqCY8ZwYmNDGpXmtAfeFExAxSRFZVxva7IbJ1xabSxAVlITV4=; c=nofws; d=joat.com; q=dns; s=selector1 X-Virus-Scanned: amavisd-new 2.3.2 (20050629) at joat.com References: X-Archives-Salt: b8f2d63b-2bd4-4eb2-8af2-a06f782f1c77 X-Archives-Hash: d8bc5da94b44e7a1253fa9b26141a435 >> # Generated by iptables-save v1.3.2 on Thu Sep 8 12:32:48 2005 >> *nat >> :PREROUTING ACCEPT [34942:3100331] >> :POSTROUTING ACCEPT [106864:7597940] >> :OUTPUT ACCEPT [106858:7597722] >> :net_dnat - [0:0] >> :w1ad_masq - [0:0] >> -A PREROUTING -i w1ad -j net_dnat >> -A POSTROUTING -o w1ad -j w1ad_masq >> -A net_dnat -p udp -m multiport --dports > > What is the "[34942:3100331]" and "[106864:7597940]" references above? Without specifying options to iptables-save, it includes the counters in the format [packet-counter:byte-counter]. I don't use the counters myself, so I don't really know for sure what purpose they serve (I'm sure the doco could shed some light on it). My guess is that they are used for either QOS or throttling or something. >> These are all valid rules and are constructed by shorewall. >> Would they be >> the same if I hand-coded them? Absolutely not. I wouldn't >> have so many >> custom chains and would probably reorder the rules to give >> priorities to >> specific services. >> >> And, I would argue that whilst these rules are valid and do >> perform the >> firewall chores that I want/need, the format of the rules >> would leave a lot >> to be desired to try to maintain manually via the command line. > > If I understand this right: Shorewall, firehol, fwbuilder, etc., > 'just-works', but it kludges the iptables? Some of these 'helpers' may > also require you to learn some additional scripting format other than > the conventional iptables. I don't think that 'kludges' is the right word for it. When hand-coding iptables scripts, it makes sense to create custom chains to organize your iptables script somewhat. Shorewall (and the others although I'm not familiar with their direct interactions with iptables) does this as well. The difficulty is that shorewall is capable of handling so many different configurations. The various custom chains that it creates are targeted towards someone that's using all of the various parts of shorewall; when you scale back to a limited setup with a small set of logical rules, shorewall still handles it easily but constructs all of the custom chains and interlinkings that would be used in a more complex setup. Which is why the iptables-save output I posted is a heck of a lot bigger than what my logical set of rules contains. > I guess that's similar to using some HTML > WYSIWYG instead of hand coding it yourself. That's a very good analogy, and more apropos to the actual output of shorewall et. al. Although the output of the tool is functionaly similar to what you would do by hand, it is typically more complicated and not close to what you would have done hand-coding it. -- gentoo-user@gentoo.org mailing list