[gentoo-user] IPCHAINS or other alternative firewalls or packet-filters?

[gentoo-user] IPCHAINS or other alternative firewalls or packet-filters?

[Walter Dnes]

  IPCHAINS did the firewall job for me.  Early versions of IPTABLES were
OK too.  But it eventually developed the Mozilla disease, and became a
honking big routing/gatewaying/QOSing/singing/dancing monstrosity, of
which I required only a small fraction of its "functionality".  And I'm
really confused as to which parts in netfilter/xtables/iptables I need
to build into the kernel.

  I need a firewall (or even just a packet-filter) that will operate
with current Gentoo kernels, nothing more.  I see a build for IPCHAINS.
Does it work with 2.6.29 and higher kernels?  Are there other
alternatives in alternate overlays?  I'm not a programmer, but I can
expand a tarball and...

./configure --with-various-options && make && make install

...if necessary.

-- 
Walter Dnes <waltdnes@waltdnes.org>

Re: [gentoo-user] IPCHAINS or other alternative firewalls or packet-filters?

[Alan McKinnon]

On Wednesday 19 August 2009 00:11:36 Walter Dnes wrote:
>   IPCHAINS did the firewall job for me.  Early versions of IPTABLES were
> OK too.  But it eventually developed the Mozilla disease, and became a
> honking big routing/gatewaying/QOSing/singing/dancing monstrosity, of
> which I required only a small fraction of its "functionality".  And I'm
> really confused as to which parts in netfilter/xtables/iptables I need
> to build into the kernel.

netfilter is the kernel sub-system that does packet filtering.
iptables is a user-space app that adds and deletes rules to netfilter.
I have no idea what xtables is

>   I need a firewall (or even just a packet-filter) that will operate
> with current Gentoo kernels, nothing more.  I see a build for IPCHAINS.
> Does it work with 2.6.29 and higher kernels?

No. ipchains does not work with 2.6 at all, or even with 2.4. I suppose you 
could coerce it, but it's easier to just learn iptables. iptables is also 
conceptually simpler and much easier to understand.

menuconfig is really simply laid out with regard to netfilter. The initial 
selection that opens up is all you need, so select the lot.

You will only need the mangle stuff is you plan on fiddling packets as they 
pass through the kernel; you'll only need conntrack if you plan to build a 
stateful firewall (a good idea, actually) and you might want NAT as well.


> Are there other
> alternatives in alternate overlays?  I'm not a programmer, but I can
> expand a tarball and...

There are two ways to build a packet filter, one good one bad
:
in-kernel: this makes sense as it's where the packets are. netfilter does 
this, you *could* replace it, but you will simply rip it out and replace it 
with something similar.

user-space: now this is a stupid idea. Every packet moves out of kernel space 
into userspace and back into kernel space. Yuck, all that context switching.

iptables really really is what you want. Google for "Rusty Russell's 
Unreliable Guide to iptables", he's the head dev and that document contains 
just about everything you need for basic firewall needs.

If you want a front-end, I like shorewall. There are hundreds of others and 
they come with their own built in flamewar about which is best. Most are 
simply front ends to iptables.

The best and most ultimate OSS packet filter in the whole wide world is 
without a doubt ipfw. But that's FreeBSD - not likely much use to you :-)

-- 
alan dot mckinnon at gmail dot com

Re: [gentoo-user] IPCHAINS or other alternative firewalls or packet-filters?

[Dan Farrell]

On Tue, 18 Aug 2009 18:11:36 -0400
"Walter Dnes" <waltdnes@waltdnes.org> wrote:

>   IPCHAINS did the firewall job for me.  Early versions of IPTABLES
> were OK too.  But it eventually developed the Mozilla disease, and
> became a honking big routing/gatewaying/QOSing/singing/dancing
> monstrosity, of which I required only a small fraction of its
> "functionality".  And I'm really confused as to which parts in
> netfilter/xtables/iptables I need to build into the kernel.

Hey, 

I too am a minimalist but I think you've got iptables misidentified.
It has lots of features; that's not the same as saying it's bloated.
More like the linux kernel (and in fact it _is_, as others have said,
the linux kernel) - it supports a lot of different functionality.  If
you don't want a particular capability, disable it in the kernel.  

If you want a quick firewall setup, use
http://spore.ath.cx/~dan/doc/home-firewall.html.  It's what I use and my
step by step guide should save you a bit of effort.  

Re: [gentoo-user] IPCHAINS or other alternative firewalls or packet-filters?

[Walter Dnes]

On Tue, Aug 18, 2009 at 06:17:47PM -0500, Dan Farrell wrote

> I too am a minimalist but I think you've got iptables misidentified.
> It has lots of features; that's not the same as saying it's bloated.
> More like the linux kernel (and in fact it _is_, as others have said,
> the linux kernel) - it supports a lot of different functionality.  If
> you don't want a particular capability, disable it in the kernel.

  Alan and Dan

  I can set rules OK.  My problem is figuring out which capabilities to
build or not build in order to create a firewall.  I.e. I need a
menuconfig guide not an iptables rules front end.

> If you want a quick firewall setup, use
> http://spore.ath.cx/~dan/doc/home-firewall.html.  It's what I use and
> my step by step guide should save you a bit of effort.

  OK I'll follow your section listing for most of the necessary
menuconfig items, but I'll drop the NAT support.  Is there any reason
you build modules rather than directly into the kernel?


  Last minute addendum; saying "No" to
  [ ]   Advanced netfilter configuration
greatly reduces the number of options showing up.  I think this is what
I was looking for.

-- 
Walter Dnes <waltdnes@waltdnes.org>