> IPF Based Firewalls Howto NU ARE CUM sa se refere la filtre de pachete
> pentru Linux, cita vreme IPF (firewall-ul la care se refera) este
> folosit pe FreeBSD, OpenBSD si NetBSD (si poate si pe altele).
> Pe Linux se folosesc ipfwadm, ipchains si iptables (care intr-adevar
> sint create si documentate de Rusty Russell).
Ce spui de asta?
http://netfilter.kernelnotes.org/unreliable-guides/packet-filtering-HOWTO/pa
cket-filtering-HOWTO.linuxdoc-3.html
E proaspata si de la Rusty insusi. Citez:
"Linux kernels have had packet filtering since the 1.1 series. The first
generation, based on ipfw from BSD, was ported by Alan Cox in late 1994.
This was enhanced by Jos Vos and others for Linux 2.0; the userspace
tool `ipfwadm' controlled the kernel filtering rules. In mid-1998, for
Linux 2.2, I reworked the kernel quite heavily, with the help of Michael
Neuling, and introduced the userspace tool `ipchains'. Finally, the
fourth-generation tool, `iptables', and another kernel rewrite occurred
in mid-1999 for Linux 2.4."
Da-mi voie sa ma apar: Rusty spune ca packet filtering din Linux se
bazeaza pe un *port* din BSD iar o portare nu schimba niciodata
"business logic".
> Nu pot gasi acuma dovada explicita in documentele lui Russell (si sint
> si obosit si trebuie sa ma duc acasa), dar cred ca bucatile astea de
> informatie sint suficiente ca sa arate ca filtrele de pachete de pe
> Linux merg pe principiul "primul gasit, primul aplicat".
http://netfilter.kernelnotes.org/unreliable-guides/packet-filtering-HOWTO/pa
cket-filtering-HOWTO.linuxdoc-6.html
"A chain is a checklist of rules. Each rule says `if the packet header
looks like this, then here's what to do with the packet'. If the rule
doesn't match the packet, then the next rule in the chain is consulted.
Finally, if there are no more rules to consult, then the kernel looks
at the chain policy to decide what to do."
Uite si dovada clara ca EU MA INSEL si TU AI perfecta DREPTATE. Alta
data am sa citesc de 10 ori inainte sa deschid gura. Mea culpa.
Daca ne intoarcem la portul 113, prietenul nostru avea policy DENY
si reguli explicite de ACCEPT. Asa ca orice pachet venit pe portul
113 ar fi fost dropped fara a notifica sender-ul. Adica exact ce s-ar
intimpla daca nu ruleaza ident. Din cite imi amintesc, ident returneaza
o variabila numita parca REMOTE_IDENT si valoarea ei in caz de
interogare esuata este "unknown" indiferent de cauza esecului (time-out
sau reject) asa ca IMHO nu cred ca are importanta "nuanta".
Grig
P.S. Apreciez foarte mult calitatea argumentelor si tonul folosit.
Sper ca aceasta "disputa" a folosit tuturor.
---
Send e-mail to '[EMAIL PROTECTED]' with 'unsubscribe rlug' to
unsubscribe from this list.
