From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1MdxLS-0001pt-Qz for garchives@archives.gentoo.org; Thu, 20 Aug 2009 02:25:42 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 10C1CE01EF; Thu, 20 Aug 2009 02:25:41 +0000 (UTC) Received: from ironport2-out.teksavvy.com (ironport2-out.teksavvy.com [206.248.154.182]) by pigeon.gentoo.org (Postfix) with ESMTP id 00FCBE01EF for ; Thu, 20 Aug 2009 02:25:41 +0000 (UTC) X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: Ar0EABdRjErO+IIX/2dsb2JhbACBU9UFhBoFh08 X-IronPort-AV: E=Sophos;i="4.43,411,1246852800"; d="scan'208";a="43838260" Received: from 206-248-130-23.dsl.teksavvy.com (HELO waltdnes.org) ([206.248.130.23]) by ironport2-out.teksavvy.com with SMTP; 19 Aug 2009 22:25:01 -0400 Received: by waltdnes.org (sSMTP sendmail emulation); Wed, 19 Aug 2009 22:26:05 -0400 From: "Walter Dnes" Date: Wed, 19 Aug 2009 22:26:05 -0400 To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] IPCHAINS or other alternative firewalls or packet-filters? Message-ID: <20090820022605.GA9163@waltdnes.org> References: <20090818221136.GA7098@waltdnes.org> <20090818181747.0a525806@napoleon.spore.ath.cx> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20090818181747.0a525806@napoleon.spore.ath.cx> User-Agent: Mutt/1.5.16 (2007-06-09) X-Archives-Salt: a734f5ac-5eb8-48e0-822c-a9ce5a87e9d9 X-Archives-Hash: c9adf93b94349cf6920330db0deabb39 On Tue, Aug 18, 2009 at 06:17:47PM -0500, Dan Farrell wrote > I too am a minimalist but I think you've got iptables misidentified. > It has lots of features; that's not the same as saying it's bloated. > More like the linux kernel (and in fact it _is_, as others have said, > the linux kernel) - it supports a lot of different functionality. If > you don't want a particular capability, disable it in the kernel. Alan and Dan I can set rules OK. My problem is figuring out which capabilities to build or not build in order to create a firewall. I.e. I need a menuconfig guide not an iptables rules front end. > If you want a quick firewall setup, use > http://spore.ath.cx/~dan/doc/home-firewall.html. It's what I use and > my step by step guide should save you a bit of effort. OK I'll follow your section listing for most of the necessary menuconfig items, but I'll drop the NAT support. Is there any reason you build modules rather than directly into the kernel? Last minute addendum; saying "No" to [ ] Advanced netfilter configuration greatly reduces the number of options showing up. I think this is what I was looking for. -- Walter Dnes