From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by nuthatch.gentoo.org with esmtp (Exim 4.43) id 1ED6FF-0007K7-Mo for garchives@archives.gentoo.org; Wed, 07 Sep 2005 20:10:10 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.13.4/8.13.4) with SMTP id j87K4nHg020312; Wed, 7 Sep 2005 20:04:49 GMT Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.205]) by robin.gentoo.org (8.13.4/8.13.4) with ESMTP id j87Ju5ZM032440 for ; Wed, 7 Sep 2005 19:56:06 GMT Received: by wproxy.gmail.com with SMTP id i5so1560948wra for ; Wed, 07 Sep 2005 12:59:39 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:disposition-notification-to:date:from:reply-to:user-agent:x-accept-language:mime-version:to:subject:references:in-reply-to:x-enigmail-version:content-type:content-transfer-encoding; b=IfxpY/I+z7LeR77ixalJ3O+alROXN61569vbV/MwI+bBq9JbX+FqDZD3YlLEE390e9u7u/BwF/6uQ4WZz5LzbkTP80dNohWjp9UIbvL7/mtkmdkN0cfQk5nQjJHpd/D+xK9k0C6jV3PrbVpzONWAU43lh5MmyI/9iORxDLijvBc= Received: by 10.54.34.20 with SMTP id h20mr2947551wrh; Wed, 07 Sep 2005 12:59:39 -0700 (PDT) Received: from ?192.168.0.102? ( [63.207.177.3]) by mx.gmail.com with ESMTP id 12sm9249866wrl.2005.09.07.12.59.38; Wed, 07 Sep 2005 12:59:39 -0700 (PDT) Message-ID: <431F45F6.5030802@gmail.com> Date: Wed, 07 Sep 2005 12:56:38 -0700 From: gentuxx User-Agent: Mozilla Thunderbird 1.0.6 (X11/20050803) X-Accept-Language: en-us, en Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Re: iptables example on Gentoo References: <431E2E2A.3070806@gmail.com> <002c01c5b3ad$314fe1c0$4501010a@jnetlab.lcl> <431F343B.1060301@gmail.com> In-Reply-To: X-Enigmail-Version: 0.92.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Archives-Salt: 69aecf3a-9509-4a59-a6c7-139be0efe90d X-Archives-Hash: 41ea3723bc6e6798bda1a0fe217052e7 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 James wrote: >gentuxx gmail.com> writes: > > > >>I think, perhaps, you misunderstood what I was saying. My >>understanding of shorewall was that it was a script (or series of >>scripts) that look for the previously specified config files and do >>"cool stuff" with the information contained in them. I was simply >>stating that in order to put value to the information in the config >>files, that you would have to know what the scripts do. I was not, in >>any way, suggesting that you use Shorewall. I can completely >>understand and sympathize with your need to dissect iptables, and the >>security it provides. However, I tend to take a top-down approach, as >>opposed to the bottom-up approach you seem to prefer. > > >OK this is great!. However, I'm a C/assembler hack, with embedded >tendencies. Scripts are OK, as most are self explanatory. >As a hardware guy, I often start with a microP, and write/add >firmware to a custom bootloader. From there, often, as simple >state_machine with selected code creates wonderful things; >so I'm definately a bottoms up kind of guy. YMMV. > > >>Going back to your original questions, I'm not really sure I can help >>with Q1. However, in regards to Q2, there aren't any config files for >>iptables. The tables are stored in memory. You can do an >>"iptables-save", which will output a modified version of the rules >>currently in place, which can subsequently be modified (assuming you >>understand and duplicate the syntax) and restored (with any changes) >>using "iptables-restore". Otherwise, all of your editing should be >>done at the command line. I would recommend using a script (of your >>own design, if so desired) to ease repeatability, and reduce the >>possibility for mistakes (fat-fingering). Also, a script of this >>nature would be handy for starting the iptables upon boot (I believe >>the HOW-TO you referenced covers this). > > >Is this the one? >http://www.linuxguruz.com/iptables/scripts/rc.DMZ.firewall.txt No, this one. http://www.gentoo.org/doc/en/home-router-howto.xml >I've reference many urls. This one was written for 2.4 >based kernels and I'm not sure it's useful for 2.6. That was one >of my questions.... Can you look at it and suggest where it is >defective? That way, I can use it as a baseline to learn and develop >a more robust (in_memory) ruleset that spawns from a shell script >or elsewhere. Or maybe share a 2.6 based script? > >OK all of this is fantastic! All of the googling and reading >I've done has not revealed this. Most of what I find is circa 2.4 >and I'm not adept enough to discern what's relevant for 2.4 and 2.6 >kernels, yet. > >Thank you very, very much, >James As far as functionality and rule set development, I don't think there is that much of a difference between 2.4 and 2.6. I'm sure there are tons of cool things that go on under the hood that I don't really know about, but the implementation is basically the same. 2.6 kernels may offer newer targets, different kernel hooks, etc., etc., but like I said, that's a little beyond my current scope. Why not compile a 2.4 kernel (with netfilter), build a ruleset, then load up your 2.6 kernel and see what breaks (if anything)? - -- gentux echo "hfouvyAdpy/ofu" | perl -pe 's/(.)/chr(ord($1)-1)/ge' gentux's gpg fingerprint ==> 34CE 2E97 40C7 EF6E EC40 9795 2D81 924A 6996 0993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDH0X1LYGSSmmWCZMRAlBDAJ9xan8nam9i93nWTKL8CkcFJsb1YgCdE2V4 Pw+Zo2IuXCqMabsrEEryjFQ= =qppu -----END PGP SIGNATURE----- -- gentoo-user@gentoo.org mailing list