-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 James wrote:
>Dave Nebinger <dnebinger <at> joat.com> writes: > > >>>I think it might be important to point out here how Shorewall >>>handles/uses these files. I don't use Shorewall, so I can't really >>>shed light on it. But these config files are really only one side of >>>the mirror. > > >Sorry, I HAVE ZERO INTEREST IN A GUI, UNLESS THE RESULTING RULESETS >ARE SIMILAR TO THOSE BUILT MANUALLY with a one-to-one correspondance >to iptables/netfilter. I think, perhaps, you misunderstood what I was saying. My understanding of shorewall was that it was a script (or series of scripts) that look for the previously specified config files and do "cool stuff" with the information contained in them. I was simply stating that in order to put value to the information in the config files, that you would have to know what the scripts do. I was not, in any way, suggesting that you use Shorewall. I can completely understand and sympathize with your need to dissect iptables, and the security it provides. However, I tend to take a top-down approach, as opposed to the bottom-up approach you seem to prefer. > >>Actually these files are typically the only ones you'll need to edit... > > > >I have a very robust OpenBSD based firewall. > >I'm not looking for advice on building firewalls as a newbie. >I'm looking for somebody that knows IPTABLES/NETFILTER, preferable >on Gentoo, and is willing to share a little information. I'm in the >process of building a gentoo based firewall to compare the robustness >against OpenBSD + pf. < ... snipping "BSD is better" rant ... > > >sincerely, from a dreamer and a looser, and an simpleton, > >(but, I'm not afraid of any stinking rule_set, are you?) > >James > Going back to your original questions, I'm not really sure I can help with Q1. However, in regards to Q2, there aren't any config files for iptables. The tables are stored in memory. You can do an "iptables-save", which will output a modified version of the rules currently in place, which can subsequently be modified (assuming you understand and duplicate the syntax) and restored (with any changes) using "iptables-restore". Otherwise, all of your editing should be done at the command line. I would recommend using a script (of your own design, if so desired) to ease repeatability, and reduce the possibility for mistakes (fat-fingering). Also, a script of this nature would be handy for starting the iptables upon boot (I believe the HOW-TO you referenced covers this). HTH. - -- gentux echo "hfouvyAdpy/ofu" | perl -pe 's/(.)/chr(ord($1)-1)/ge' gentux's gpg fingerprint ==> 34CE 2E97 40C7 EF6E EC40 9795 2D81 924A 6996 0993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDHzQ7LYGSSmmWCZMRAgx1AKCT+7L3dXEppBtzjsZ8K/PLKYB4BQCff/AJ IWqjSAL5vD46NiY0sfquCe4= =hejB -----END PGP SIGNATURE----- -- gentoo-user@gentoo.org mailing list
