public inbox for gentoo-user@lists.gentoo.org
 help / color / mirror / Atom feed
From: Holly Bostick <motub@planet.nl>
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] iptables
Date: Tue, 30 Aug 2005 11:43:26 +0200	[thread overview]
Message-ID: <43142A3E.4080809@planet.nl> (raw)
In-Reply-To: <001401c5ad0b$a4991af0$0501a8c0@croatus>

John Dangler schreef:
> Holly~ The Firestarter kernel requirements doc says -
> 
> *Device drivers *Networking support [y] *Networking support 
> *Networking options *Network packet filtering [y] *Network packet
> filtering IP: Netfilter Configuration (*)
> 
> "We recommend you enable _everything_ except ipchains support and
> ipfwadm support as modules under this menu"

I never read this as meaning that everything should be selected, but
rather that everything that you select under this menu, other than
ipchains support and ipfwadm, should be selected as a module rather than
static. But even then, they further explain that this is mostly to save
size and memory in the kernel, rather than some actual necessity.

And of course, the docs further say
> At the very least, the Connection tracking, IP tables, Connection
> state match support, Connection tracking match support, Packet
> filtering, Full NAT and the LOG target support


My config looks like this:

CONFIG_IP_NF_CONNTRACK=y
# CONFIG_IP_NF_CT_ACCT is not set
# CONFIG_IP_NF_CONNTRACK_MARK is not set
# CONFIG_IP_NF_CT_PROTO_SCTP is not set
# CONFIG_IP_NF_FTP is not set
# CONFIG_IP_NF_IRC is not set
# CONFIG_IP_NF_TFTP is not set
# CONFIG_IP_NF_AMANDA is not set
CONFIG_IP_NF_QUEUE=y
CONFIG_IP_NF_IPTABLES=y
CONFIG_IP_NF_MATCH_LIMIT=y
CONFIG_IP_NF_MATCH_IPRANGE=y
CONFIG_IP_NF_MATCH_MAC=y
CONFIG_IP_NF_MATCH_PKTTYPE=y
CONFIG_IP_NF_MATCH_MARK=y
CONFIG_IP_NF_MATCH_MULTIPORT=y
CONFIG_IP_NF_MATCH_TOS=y
CONFIG_IP_NF_MATCH_RECENT=y
CONFIG_IP_NF_MATCH_ECN=y
CONFIG_IP_NF_MATCH_DSCP=y
CONFIG_IP_NF_MATCH_AH_ESP=y
CONFIG_IP_NF_MATCH_LENGTH=y
CONFIG_IP_NF_MATCH_TTL=y
CONFIG_IP_NF_MATCH_TCPMSS=y
CONFIG_IP_NF_MATCH_HELPER=y
CONFIG_IP_NF_MATCH_STATE=y
CONFIG_IP_NF_MATCH_CONNTRACK=y
CONFIG_IP_NF_MATCH_OWNER=y
# CONFIG_IP_NF_MATCH_ADDRTYPE is not set
# CONFIG_IP_NF_MATCH_REALM is not set
# CONFIG_IP_NF_MATCH_SCTP is not set
# CONFIG_IP_NF_MATCH_COMMENT is not set
# CONFIG_IP_NF_MATCH_HASHLIMIT is not set
CONFIG_IP_NF_FILTER=y
CONFIG_IP_NF_TARGET_REJECT=y
CONFIG_IP_NF_TARGET_LOG=y
CONFIG_IP_NF_TARGET_ULOG=y
CONFIG_IP_NF_TARGET_TCPMSS=y
CONFIG_IP_NF_NAT=y
CONFIG_IP_NF_NAT_NEEDED=y
CONFIG_IP_NF_TARGET_MASQUERADE=y
CONFIG_IP_NF_TARGET_REDIRECT=y
CONFIG_IP_NF_TARGET_NETMAP=y
CONFIG_IP_NF_TARGET_SAME=y
# CONFIG_IP_NF_NAT_SNMP_BASIC is not set
CONFIG_IP_NF_MANGLE=y
CONFIG_IP_NF_TARGET_TOS=y
CONFIG_IP_NF_TARGET_ECN=y
CONFIG_IP_NF_TARGET_DSCP=y
CONFIG_IP_NF_TARGET_MARK=y
CONFIG_IP_NF_TARGET_CLASSIFY=y
CONFIG_IP_NF_RAW=m
CONFIG_IP_NF_TARGET_NOTRACK=m
CONFIG_IP_NF_ARPTABLES=y
CONFIG_IP_NF_ARPFILTER=y
CONFIG_IP_NF_ARP_MANGLE=y

As you see, I haven't even followed the instructions properly (all this
stuff is static), but, as the docs also say it will, Firestarter seems
to work fine (because all the 'required elements' are enabled.

Maybe I'll go back through make menuconfig and clean that all up, just
so I know what I'm doing in future. But afaik, I just left the kernel
defaults in place (as about all I know about these settings is that 1)
I'm not using ipv6, and 2) anything that is needed for a router I don't
need, because I'm not a router :) ).

It rather sounds like Hans-Werner is onto something; often, when you
change your kernel configuration, you have to rebuild any external
modules against the new base, which you don't seem to have done.
Otherwise the external module thinks that functions are available that
it has to modprobe (because the functionality has changed from static to
module), and vice versa (if the functionality has changed from module to
static).

If I reconfigure my kernel to modify a sound module, then no, I don't
have to re-emerge the ati-drivers (because the kernel change is
irrelevant to the external module), but the same wouldn't be true if I
changed /dev/agpgart from static to a module.

In this case, you certainly are changing kernel options relevant to the
external modules, so those would have to be re-emerged against the new
kernel congiguration.

HTH,
Holly



-- 
gentoo-user@gentoo.org mailing list



  parent reply	other threads:[~2005-08-30  9:48 UTC|newest]

Thread overview: 29+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-08-29 23:44 [gentoo-user] iptables John Dangler
2005-08-30  1:31 ` Holly Bostick
2005-08-30  2:36   ` John Dangler
2005-08-30  3:36     ` John Dangler
2005-08-30  4:54       ` John Dangler
2005-08-30  8:48         ` Hans-Werner Hilse
2005-08-30  9:43     ` Holly Bostick [this message]
2005-08-30  9:55       ` Neil Bothwick
2005-08-30 10:13         ` John Dangler
2005-08-30  1:42 ` W.Kenworthy
  -- strict thread matches above, loose matches on Subject: below --
2015-12-22 21:45 [gentoo-user] IPTABLES siefke_listen
2015-12-24 12:11 ` Andrew Savchenko
2015-12-24 21:41   ` siefke_listen
2015-12-29 13:09 ` lee
2009-07-16  3:32 [gentoo-user] iptables Dave
2009-07-16  8:41 ` Marco
2009-07-16  8:43   ` Marco
2009-07-16 13:42     ` Alejandro
2009-07-16 14:55       ` Nevynxxx
2007-01-18 15:58 [gentoo-user] Iptables Fabrício L. Ribeiro
2007-01-18 16:07 ` Daniel Pielmeier
2007-01-18 16:09 ` Nelson, David (ED, PAR&D)
2007-01-19 11:10 ` Alan McKinnon
2007-01-19 12:56   ` Pete Pardoe
2007-01-19 13:33     ` Fabrício L. Ribeiro
2005-08-26  3:17 [gentoo-user] iptables John Dangler
2005-08-26  4:03 ` Eric Crossman
2005-08-26  4:22 ` A. Khattri
2005-08-26  8:49 ` Fernando Meira

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=43142A3E.4080809@planet.nl \
    --to=motub@planet.nl \
    --cc=gentoo-user@lists.gentoo.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox