Okay, this is probably heresy, but here's my advice on making iptables a little more managable. iptables-restore and iptables-save work with a kindof funny looking config file, and I just edit that file by hand rather than figure out how to craft goofy iptables command lines. My systems are Fedora Core II, and FC2 uses the output from iptables-save to start iptables in the boot scripts. If you added iptables-restore to your boot scripts, you'd have the same basic effect. When I need to make a change I usually just copy an existing line and make needed changes. This gets around some of the complaints about administering iptables.
That said, I use OpemBSD with PF for my firewall and I only use iptables on servers that need to live outside my firewall for some weird reason. So please don't hit me for giving iptables advice on the pf mailing list... -Dylan > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Tue, 19 Oct 2004 19:11:13 -0400 > David Snyder <[EMAIL PROTECTED]> wrote: > > > I've been trying to make some halting efforts to try and port pf to > > Linux (I use Slack -- as well as OBSD, of course). I haven't seen > > anything on the Net about pf on Linux, so I've concluded that no one's > > > > looked at porting pf to Linux. That's too bad, 'cause pf beats the > > hell out of iptables for ease of use, configuration, etc. Since a lot > > of the details of, for example, building a lkm, the net interface for > > Linux and writing a Makefile, it's going to be awhile before I have > > anything vaguely useful. So, in other words, don't hold your breath. > > Thank you very much for you time. > > I find iptables such a royal PITA. I bought Building Firewalls with > OpenBSD and PF 2nd edition as I could not get my head around the binat > keyword, as it was far too easy for me to understand. The rest of the > book is pretty good, anyway, I'm side tracked now. Ah yes. I've been > using the same iptables firewall script for 3-ish years, maybe more now > simply because I could never reconstruct it from scratch without taking > a week off from my normal duties. I can whip up a pf rule set in no > time. > > I find the opposite when it comes to other things like running the > latest GAIM version because darn yahoo or MSN change their protocol, > getting everything upto date just takes longer. apt-get install gaim, on > a Debian system gets it right. > > PF on linux would be 'awesome', so long as it did not become like the XP > firewall. > > - -- > Ed. Debian 3. OpenBSD 3.5. Two things came out of berkeley: BSD and > LSD. Don't think this a coincidence. Can't cross chasm in small jumps > PGP KeyID 04EDACDA A0F3 44E9 C367 C6C1 C891 4C71 69AF 3CF5 04ED ACDA > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.5 (GNU/Linux) > > iD8DBQFBdqmtaa889QTtrNoRAnSmAJ9lwYGlTw6C9HT/oC4hNnARmTBcMwCeOHpf > Jni61FKQsapE+BBmW8qL7Os= > =plXO > -----END PGP SIGNATURE-----
