On Thu, 2005-03-03 at 12:33 +0100, Etaoin Shrdlu wrote:
> I don't know your needs and so I'm probably missing something here,
> but why
> can't you save your rules and then use the
> standard /etc/init.d/iptables
> {start|stop} scripts mechanism?Because there's a lot more features with the APF script - like Anti DOS, realtime blackholing of networks, sysctl tuning etc.. http://www.rfxnetworks.com/apf.php Here's a run down; - simple & well commented configuration files - layered firewall with independent ingress and egress filtering system - uid based egress filtering via simple configuration variables - global tcp/udp ports & icmp types configurtion - configurable policies for each ip on the system with convenience vars - prerouting rules for optimal network responce; TOS (type of service) - icmp based rate limiting to prevent common icmp 'dos' abuses - antidos subsystem to stop attacks before they become a significant threat - dshield.org block list support to ban networks exhibiting suspicious activity - advanced set of sysctl parameters for tcp/ip stack hardening - advanced set of filter rules to remove undesired traffic - advanced use of kernel features such as abort_on_overflow & tcp syncookies - easy to use firewall managment script - trust based rule files (allow/deny); with advanced syntax support - 3rd party addon projects that compliment APF features (antidos) I've used this on all the HedRat servers I've used and I love it. -- Joel Merrick
signature.asc
Description: This is a digitally signed message part
