RE: [gentoo-user] Re: iptables example on Gentoo

["Dave Nebinger" <dnebinger@joat.com>]

> It's not a parade, it's what old-timers do, it's how I learn.

I started that way too (being an old-timer myself ;-)

However after consuming info available on the net and buying/reading an
iptables book, I quickly came to realize that it's quite easy to shoot
yourself in the foot with iptables.

Shorewall, and many of the other alternatives, end up handling the nuances
of iptables quite nicely and take most of the bullets out of your gun, thus
protecting your feet.

> > /etc/shorewall/interfaces:
> > # Assumes you're getting IP address from dhcp server
> > net eth0 detect dhcp,routefilter,norfc1918,tcpflags
> > # Assumes you're serving dhcp to internal systems
> > loc eth1 detect dhcp,tcpflags
> how about for a static
> loc eht1 detect tcpflags   <????????>

Yes, /etc/shorewall/interfaces file has excessive documentation that
explains what would go on the end.
 
> 
> Thanks for your help. I think I've got enough here to get
> it basically working. One I make the rulesets more complex,
> I'll use shorewall generated rules and configs to see what I
> have missed.

You may be in a little trouble if you're talking about mixing shorewall &
iptables...  They really don't play well together.

Shorewall (and many of the others) create custom chains to contain
individual rules of varying types.  The problem is that these custom chains
tend to get intertwined with each other and trying to identify a
shorewall-based iptable rule that you want to copy to a straight iptable
implementation can be difficult.

That plus if you start shorewall it basically clears all existing chains to
load it's own info, so all firewall rules must be kept in the shorewall
files.

So you really have to pick one or the other but not both.

Dave


-- 
gentoo-user@gentoo.org mailing list