> > In these cases though, the change in syntax is well worth it, since
> > you're getting MUCH improved functionality, which also makes your
> > network MUCH more secure. Stateful packet inspection is generally
> > much harder to defeat than simple packet filtering...
>
> Are you saying the command line syntax of the tool (e.g. /usr/sbin/ipchains)
> could not be backwards compatible with the old syntax? That's all I am
> saying.
Well, without doing a side-by-side comparison I can't say that they
couldn't... But off the top of my head I don't think you can, because
there's a lot more to iptables that I think would conflict with the
old syntax. The way they handle the chains is entirely different...
They tried to make it as close as possible, so as not to make it too
difficult to switch. And it is fairly similar (I think).
> It could be that it is impossible to support the previous syntax... but
> I thought it was a rigorous superset functionality-wise. If so, then it
Actually the old syntax IS supported... you need to load the ipchains
module to get it, but then you CAN NOT use any of the new
functionality. The two syntaxes are mutually exclusive.
--
Somebody set up us the bomb.
All your base are belong to us.
Take off every zig for great justice.
---------------------------------------------------
Derek Martin | Unix/Linux geek
[EMAIL PROTECTED] | GnuPG Key ID: 0x81CFE75D
Retrieve my public key at http://pgp.mit.edu
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
