-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 James wrote:
>gentuxx <gentuxx <at> gmail.com> writes: > > > >>I think, perhaps, you misunderstood what I was saying. My >>understanding of shorewall was that it was a script (or series of >>scripts) that look for the previously specified config files and do >>"cool stuff" with the information contained in them. I was simply >>stating that in order to put value to the information in the config >>files, that you would have to know what the scripts do. I was not, in >>any way, suggesting that you use Shorewall. I can completely >>understand and sympathize with your need to dissect iptables, and the >>security it provides. However, I tend to take a top-down approach, as >>opposed to the bottom-up approach you seem to prefer. > > >OK this is great!. However, I'm a C/assembler hack, with embedded >tendencies. Scripts are OK, as most are self explanatory. >As a hardware guy, I often start with a microP, and write/add >firmware to a custom bootloader. From there, often, as simple >state_machine with selected code creates wonderful things; >so I'm definately a bottoms up kind of guy. YMMV. > > >>Going back to your original questions, I'm not really sure I can help >>with Q1. However, in regards to Q2, there aren't any config files for >>iptables. The tables are stored in memory. You can do an >>"iptables-save", which will output a modified version of the rules >>currently in place, which can subsequently be modified (assuming you >>understand and duplicate the syntax) and restored (with any changes) >>using "iptables-restore". Otherwise, all of your editing should be >>done at the command line. I would recommend using a script (of your >>own design, if so desired) to ease repeatability, and reduce the >>possibility for mistakes (fat-fingering). Also, a script of this >>nature would be handy for starting the iptables upon boot (I believe >>the HOW-TO you referenced covers this). > > >Is this the one? >http://www.linuxguruz.com/iptables/scripts/rc.DMZ.firewall.txt No, this one. http://www.gentoo.org/doc/en/home-router-howto.xml >I've reference many urls. This one was written for 2.4 >based kernels and I'm not sure it's useful for 2.6. That was one >of my questions.... Can you look at it and suggest where it is >defective? That way, I can use it as a baseline to learn and develop >a more robust (in_memory) ruleset that spawns from a shell script >or elsewhere. Or maybe share a 2.6 based script? > >OK all of this is fantastic! All of the googling and reading >I've done has not revealed this. Most of what I find is circa 2.4 >and I'm not adept enough to discern what's relevant for 2.4 and 2.6 >kernels, yet. > >Thank you very, very much, >James As far as functionality and rule set development, I don't think there is that much of a difference between 2.4 and 2.6. I'm sure there are tons of cool things that go on under the hood that I don't really know about, but the implementation is basically the same. 2.6 kernels may offer newer targets, different kernel hooks, etc., etc., but like I said, that's a little beyond my current scope. Why not compile a 2.4 kernel (with netfilter), build a ruleset, then load up your 2.6 kernel and see what breaks (if anything)? - -- gentux echo "hfouvyAdpy/ofu" | perl -pe 's/(.)/chr(ord($1)-1)/ge' gentux's gpg fingerprint ==> 34CE 2E97 40C7 EF6E EC40 9795 2D81 924A 6996 0993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDH0X1LYGSSmmWCZMRAlBDAJ9xan8nam9i93nWTKL8CkcFJsb1YgCdE2V4 Pw+Zo2IuXCqMabsrEEryjFQ= =qppu -----END PGP SIGNATURE----- -- [email protected] mailing list
