> is anybody already deploying their firewalls based on
> netfilter/iptables?
> anyone planning to migrate from ipchains to netfilter?
ACENT has deployed netfilter/iptables since 1 May 2001. :)
> any compelling reasons to do so, aside from stateful inspection?
If you're using the 2.4.x kernel, you might as well give it a try.
Also, performance/security/reliability seems to have improved over
ipchains.
> any compelling reason NOT to do so?
If your current setup works, then you might want to stick with it first
and gradually shift to iptables. Work on a backup first and see if
you're satisfied with the performance, then make the main system
implement it.
> anyone want to share their horror stories on this?
forgot to make iptables accept all connections from loopback; Caused
some problems
connection tracking eats up memory, so I'm told -- 1 byte per
connection, I think.
ICQ connection is flaky (ICQ protocol is ugly)
Active FTP is supposedly supported, though I haven't gotten it to work
correctly.
Had to loosen up the firewall rules because some connections were failing
Tips:
- don't forget to make iptables accept all:all for -i lo
- make custom chains for manageability
- read iptables docs carefully. the major change: three tables now --
filter, nat, & mangle. Also, capitalization counts.
--------------------------------------
Gino LV. Ledesma
Ateneo Cervini-Eliazo Networks (ACENT)
email : [EMAIL PROTECTED]
web : http://cersa.admu.edu.ph/
phone : (63)(2) 426-6001 ext. 5925/5904
_
Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph
To leave: send "unsubscribe" in the body to [EMAIL PROTECTED]
To subscribe to the Linux Newbies' List: send "subscribe" in the body to
[EMAIL PROTECTED]
