From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by nuthatch.gentoo.org with esmtp (Exim 4.43) id 1EChmd-00003E-Fn for garchives@archives.gentoo.org; Tue, 06 Sep 2005 18:02:59 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.13.4/8.13.4) with SMTP id j86HvpUp022874; Tue, 6 Sep 2005 17:57:51 GMT Received: from smtp14.wxs.nl (smtp14.wxs.nl [195.121.6.28]) by robin.gentoo.org (8.13.4/8.13.4) with ESMTP id j86Ho0ft002731 for ; Tue, 6 Sep 2005 17:50:00 GMT Received: from [10.0.0.150] (ip3e83ab52.speed.planet.nl [62.131.171.82]) by smtp14.wxs.nl (iPlanet Messaging Server 5.2 Patch 2 (built Jul 14 2004)) with ESMTP id <0IME00GFRPOY6N@smtp14.wxs.nl> for gentoo-user@lists.gentoo.org; Tue, 06 Sep 2005 19:53:22 +0200 (CEST) Date: Tue, 06 Sep 2005 19:53:08 +0200 From: Holly Bostick Subject: Re: [gentoo-user] iptables example on Gentoo In-reply-to: <00ce01c5b309$febb1c00$4501010a@jnetlab.lcl> To: gentoo-user@lists.gentoo.org Message-id: <431DD784.7020702@planet.nl> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-version: 1.0 Content-type: text/plain; charset=UTF-8 Content-transfer-encoding: 7BIT X-Accept-Language: nl-NL, nl, en User-Agent: Mozilla Thunderbird 1.0.6 (X11/20050803) X-Enigmail-Version: 0.92.0.0 References: <00ce01c5b309$febb1c00$4501010a@jnetlab.lcl> X-Archives-Salt: 255f1a44-fa27-4308-9ff9-7a34d31639f6 X-Archives-Hash: c750bc01628a64f1369a3568711ed8ca Dave Nebinger schreef: >> I've been trying to build a simple firewall with a DMZ for a web >> server. > > > Dude, trying to use iptables directly was your first mistake. > > Take a spin out and look at shorewall (I'm sure others have different > recommendations). > > Shorewall will get you up and running in no time and will easily > handle the configuration stuff from your original post. > > Trying to manage such a complex config using iptables directly is > doomed to failure; any mistake in ordering of rules, etc., will break > your connectivity. Sticking with a tool like shorewall will > simplify rules maintenance and pose less of a problem when performing > updates later on. > If you're trying to learn, James, there is something to be said for Dave's position; it's not as if the config files are going to disappear just because you used shorewall to write them with correct settings. It might be easier to understand how iptables works if you configure it through a system that will do it properly, *then* look at the configured rules and work out why they work (as opposed to what your self-made rules do), rather than wait to have a working configuration until you've understood iptables (which is apparently not really easy for most everybody). Holly -- gentoo-user@gentoo.org mailing list