Ce legatura are LOG-ul cu libertatea mea de a avea mai multe reguli identice? Sint alte zeci de tipuri reguli non-terminale, incluzind cele fara -j. Oi fi si tu de parere ca iptables-ul ar trebui sa-mi dea peste mina atunci cind vreau sa apendez a doua regula identica cu una existenta!
Nu mai vorbesc de supraincarcarea evidenta atunci cind creezi chain-uri cu sute/mii de reguli, doar pt ca tie iti place ca iptables-ul sa faca o verificare de 2 lei si 15 bani! Greselile care le fac administratorii sint departe de a fi atit de simple; in domeniul asta, iptables-ul nu poate sa ajute cu nimic, fiind un domeniu rezervat cunostintelor celui care seteaza acel chain. Si inca o data, -A inseamna append, nu "append if you don't find another similar rule". Punct. Radu Anghel wrote: >in cazul asta la tine toate regulile se termina cu -j LOG/RETURN? >nu toate regulile sunt "non-terminating" >daca pui 2 reguli cu -j LOG o sa matchuiasca pe amandoua >daca pui 2 reguli cu -j ACCEPT o sa matchuiasca doar prima >oricum nu vad utilitatea unui -j LOG pus de 2 ori in acelasi chain decat >daca vrei sa vezi acelasi mesaj de 2 ori. > >LOG >Turn on kernel logging of matching packets. When this option is set >for a rule, the Linux kernel will print some information on all match- >ing packets (like most IP header fields) via the kernel log (where it >can be read with dmesg or syslogd(8)). This is a "non-terminating tar- >get", i.e. rule traversal continues at the next rule. So if you want >to LOG the packets you refuse, use two separate rules with the same >matching criteria, first using target LOG then DROP (or REJECT). > > > >On Tue, 2004-02-24 at 14:52, Alin Nastac wrote: > > >>Nu zau? Adica toate regulile la tine se termina cu -j ACCEPT/DENY/DROP? >> >>Radu Anghel wrote: >> >> >> >>>daca in acelasi chain ai aceeasi regula pusa de 2 sau mai multe ori nu o >>>sa faca match decat pe prima -> restul sunt inutile >>> >>>On Tue, 2004-02-24 at 14:43, Alin Nastac wrote: >>> >>> >>> >>> >>>>Si eu cind o sa-ti spun ca iptables nu se da drept mai destept decit >>>>administratorul, cum crezi ca sint? >>>>De unde pina unde nu am voie sa am 2 sau mai multe reguli identice >>>>intr-un chain? >>>> >>>>Radu Radoveneanu wrote: >>>> >>>> >>>> >>>> >>>> >>>>>Alin Nastac said: >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>>>hahaha... ar putea sa-ti zica eventual RTFM!!! >>>>>> >>>>>>ca intotdeauna intr-un lant, pozitia e f. importanta; nu vad cum ar >>>>>>trebui sa-ti interpreteze prostia asta de comanda altfel decit ceea ce >>>>>>inseamna -A: "adauga regula asta la sfirsitul chain-ului". >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>super tare mosule, ce sa zic, m-ai dat peste cap >>>>>eventual daca o sa spun ca -A era un exemplu si ca eu doresc sa-mi dea o >>>>>eroare cand vreau sa adaug o regula deja existenta o sa-mi spui ca sunt >>>>>dobitoc si sa-mi dai si doua palme nu ? >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>--- >>>>Detalii despre listele noastre de mail: http://www.lug.ro/ >>>> >>>> >>>> >>>> >>>> >>>-- Attached file included as plaintext by Ecartis -- >>>-- File: signature.asc >>>-- Desc: This is a digitally signed message part >>> >>>-----BEGIN PGP SIGNATURE----- >>>Version: GnuPG v1.2.4 (GNU/Linux) >>> >>>iD8DBQBAO0hkzEN+vLL1CukRAm5IAJ4t758wDU93NYFJ36mPQ5I2VPFFuQCdEcKl >>>I6RWKrpJYVsrwloLNU87oJw= >>>=5gdC >>>-----END PGP SIGNATURE----- >>> >>> >>> >>>--- >>>Detalii despre listele noastre de mail: http://www.lug.ro/ >>> >>> >>> >>> >>> >>> >> >>--- >>Detalii despre listele noastre de mail: http://www.lug.ro/ >> >> >> > >-- Attached file included as plaintext by Ecartis -- >-- File: signature.asc >-- Desc: This is a digitally signed message part > >-----BEGIN PGP SIGNATURE----- >Version: GnuPG v1.2.4 (GNU/Linux) > >iD8DBQBAO0w4zEN+vLL1CukRAkgqAJ4v4DcWlzwn1kuGeG2M+J9cAtrlTQCgiWlG >C+kR3W3yas9G7JKem5GovPg= >=bKmy >-----END PGP SIGNATURE----- > > > >--- >Detalii despre listele noastre de mail: http://www.lug.ro/ > > > > --- Detalii despre listele noastre de mail: http://www.lug.ro/
