Re: [gentoo-user] Re: iptables example on Gentoo

[gentuxx <gentuxx@gmail.com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

James wrote:

>gentuxx <gentuxx <at> gmail.com> writes:
>
>
>
>>I think, perhaps, you misunderstood what I was saying. My
>>understanding of shorewall was that it was a script (or series of
>>scripts) that look for the previously specified config files and do
>>"cool stuff" with the information contained in them. I was simply
>>stating that in order to put value to the information in the config
>>files, that you would have to know what the scripts do. I was not, in
>>any way, suggesting that you use Shorewall. I can completely
>>understand and sympathize with your need to dissect iptables, and the
>>security it provides. However, I tend to take a top-down approach, as
>>opposed to the bottom-up approach you seem to prefer.
>
>
>OK this is great!. However, I'm a C/assembler hack, with embedded
>tendencies. Scripts are OK, as most are self explanatory.
>As a hardware guy, I often start with a microP, and write/add
>firmware to a custom bootloader. From there, often, as simple
>state_machine with selected code creates wonderful things;
>so I'm definately a bottoms up kind of guy. YMMV.
>
>
>>Going back to your original questions, I'm not really sure I can help
>>with Q1. However, in regards to Q2, there aren't any config files for
>>iptables. The tables are stored in memory. You can do an
>>"iptables-save", which will output a modified version of the rules
>>currently in place, which can subsequently be modified (assuming you
>>understand and duplicate the syntax) and restored (with any changes)
>>using "iptables-restore". Otherwise, all of your editing should be
>>done at the command line. I would recommend using a script (of your
>>own design, if so desired) to ease repeatability, and reduce the
>>possibility for mistakes (fat-fingering). Also, a script of this
>>nature would be handy for starting the iptables upon boot (I believe
>>the HOW-TO you referenced covers this).
>
>
>Is this the one?
>http://www.linuxguruz.com/iptables/scripts/rc.DMZ.firewall.txt

No, this one.

http://www.gentoo.org/doc/en/home-router-howto.xml


>I've reference many urls. This one was written for 2.4
>based kernels and I'm not sure it's useful for 2.6. That was one
>of my questions.... Can you look at it and suggest where it is
>defective? That way, I can use it as a baseline to learn and develop
>a more robust (in_memory) ruleset that spawns from a shell script
>or elsewhere. Or maybe share a 2.6 based script?
>
>OK all of this is fantastic! All of the googling and reading
>I've done has not revealed this. Most of what I find is circa 2.4
>and I'm not adept enough to discern what's relevant for 2.4 and 2.6
>kernels, yet.
>
>Thank you very, very much,
>James

As far as functionality and rule set development, I don't think there
is that much of a difference between 2.4 and 2.6.  I'm sure there are
tons of cool things that go on under the hood that I don't really know
about, but the implementation is basically the same.  2.6 kernels may
offer newer targets, different kernel hooks, etc., etc., but like I
said, that's a little beyond my current scope.  Why not compile a 2.4
kernel (with netfilter), build a ruleset, then load up your 2.6 kernel
and see what breaks (if anything)?

- --
gentux
echo "hfouvyAdpy/ofu" | perl -pe 's/(.)/chr(ord($1)-1)/ge'

gentux's gpg fingerprint ==> 34CE 2E97 40C7 EF6E EC40  9795 2D81 924A
6996 0993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDH0X1LYGSSmmWCZMRAlBDAJ9xan8nam9i93nWTKL8CkcFJsb1YgCdE2V4
Pw+Zo2IuXCqMabsrEEryjFQ=
=qppu
-----END PGP SIGNATURE-----

-- 
gentoo-user@gentoo.org mailing list