On Wed, Jan 09, 2002 at 04:00:31AM +0200, Tzafrir Cohen wrote: > On Wed, 9 Jan 2002, Florian Friesdorf wrote: > > > On Tue, Jan 08, 2002 at 02:36:40PM -0500, Jason Stechschulte wrote: > > > My question: > > > Is ipmasq really worth using? It almost seems more difficult keeping > > > track of multiple .rul files, plus ipmasq has many .def files that seem > > > to set up rules also. From the looks of it, it seems like it may be > > > easier to just set it all up manually myself and have full control over > > > everything rather than having to learn to do things the ipmasq way. > > > > That's exactly my experience with ipmasq. > > My personal favourite is now ferm (apt-cache show ferm) > > It's a language of its own, relatively powerful, which translates either > > to iptables, ipchains or ipfwadm (not fully supported iirc) commands > > which are executed. > > > > Does it produce a good iptables ruleset? > > For instance: does it use basic iptables-only features such as stateful > filtering?
It's up to you what ruleset it produces and whether you'd like to use
stateful filtering.
chain INPUT saddr (a.b.c.d w.x.y.z) proto tcp dport (ssh http) ACCEPT;
is translated to four rules
iptables -t filter -A INPUT -p tcp -s a.b.c.d --dport ssh -j ACCEPT
iptables -t filter -A INPUT -p tcp -s a.b.c.d --dport http -j ACCEPT
iptables -t filter -A INPUT -p tcp -s w.x.y.z --dport ssh -j ACCEPT
iptables -t filter -A INPUT -p tcp -s w.x.y.z --dport http -j ACCEPT
Have a look at its manpage.
I'm working on modularizing it at the moment.
I've attached my ferm script used for dsl gateway
activate.ferm to intialize it.
deactivate.ferm to reset.
florian
--
Florian Friesdorf <[EMAIL PROTECTED]>
OpenPGP key available on public key servers
------> Save the future of Open Source <------
-> Online-Petition against Software Patents <-
------> http://petition.eurolinux.org <-------
pgpvWYkmJP2VG.pgp
Description: PGP signature
