"Stephen A. Zarkos" wrote:
>
> For those of you playing with the new 2.4 Linux Kernels you'll notice that
> the main firewall software for Linux will be changing quite a bit.
Hey, I've heard that somewhere. ;)
> Here's a rulelist I wrote to test some things, it's a basic dual homed
> configuration: http://www.sentry.net/~obsid/IPTables/
Great info! A couple of additions to what is listed:
http://netfilter.kernelnotes.org/unreliable-guides/packet-filtering-HOWTO-10.html
This is the section of the FAQ that describes the differences between
ipchains & iptables. Great primer for people familiar with ipchains. The
biggest thing missing from the list is that ipchains is a static filter
while iptables is stateful. ;)
Another thing to note is the drastic change in logging. In ipchains you
used a "-l" in your syntax to log traffic matched by the rule. With
iptables you need to create a separate "-j LOG" rule. In other words, if
you have 10 rules and wish to log matches against 4 of them, your going
to end up with 14 rules. Kind of a pain (IMHO) but it works.
> I threw quite a bit of details(some redundant) into the script mainly for
> testing. I'd be interested in hearing any comments.
I really like:
http://www.sentry.net/~obsid/IPTables/iptables.problems
#2 is going to be a big problem for most environments. Not handling
ident correctly can mess with not only Telnet & FTP, but mail as well. I
remember there was a *big* discussion on the mailing list trying to
decide if its acceptable to to issue RST's for another host. To the best
of my knowledge, this ability is still not there (its not just the RST,
you have to respond from the system's IP as well).
Problem I've had:
My mail server tries to deliver mail
Remote mail server attempts an ident
iptables drops inbound ident request
mail connection hangs, sometimes failing
The work around I use is to shut off ident on the mail server and then
tell iptables to let the ident request through. This way the mail server
issues the ident RST to the remote mail system and the connection does
not hang.
> - New NAT stuff, SNAT(masquerading), DNAT, etc. Different than IPChains,
> but it makes more sense once you get used to it.
Agreed!
HTH,
Chris
--
**************************************
[EMAIL PROTECTED]
* Mastering Cisco Routers
http://www.amazon.com/exec/obidos/ASIN/078212643X/
* Mastering Network Security
http://www.amazon.com/exec/obidos/ASIN/0782123430/
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
