Atunci mergi la baietii care au facut iptables-ul si zi-le parerea ta.
Inca o data:
- aceasta verificare consuma timp, timp care creste exponential cu
dimensiunea chain-ului.
- este inutil sa verifici o greseala (daca e greseala) atit de
minora cita vreme cei care gresesc fac cu totul alt gen de greseli,
greseli nedetectabile de catre iptables
- iptables este un utilitar, poate prea timpit dupa parerea ta (in
acest caz, cred ca e mai bine sa studiezi celelate produse de pe piata);
cel care seteaza chain-urile este administratorul
- faptul ca (probabil) nu exista (inca) regula care sa aiba sens
duplicarea ei, nu inseamna ca nu va exista vreodata; iptables-ul este
total deschis la orice porcarii iti trece prin minte vis-a-vis de
pachetele care-ti traverseaza ruterul
Radu Anghel wrote:
>si cu ce te ajuta acea regula non-terminala daca 2 randuri mai jos va
>face acelasi lucru?
>sunt si eu de parere ca iptablesul ar trebui sa primeasca eroare de la
>kernel cand vrei sa apendezi/inserezi o regula identica cu una existenta
>si sa-ti zica ba gigele regula aia exista deja si daca nu-ti place
>pozitionarea ei in chain da-i cu -D si pune-o mai sus/jos cum iti place
>tie.
>
>
>On Tue, 2004-02-24 at 15:21, Alin Nastac wrote:
>
>
>>Ce legatura are LOG-ul cu libertatea mea de a avea mai multe reguli
>>identice? Sint alte zeci de tipuri reguli non-terminale, incluzind cele
>>fara -j.
>>Oi fi si tu de parere ca iptables-ul ar trebui sa-mi dea peste mina
>>atunci cind vreau sa apendez a doua regula identica cu una existenta!
>>
>>Nu mai vorbesc de supraincarcarea evidenta atunci cind creezi chain-uri
>>cu sute/mii de reguli, doar pt ca tie iti place ca iptables-ul sa faca o
>>verificare de 2 lei si 15 bani! Greselile care le fac administratorii
>>sint departe de a fi atit de simple; in domeniul asta, iptables-ul nu
>>poate sa ajute cu nimic, fiind un domeniu rezervat cunostintelor celui
>>care seteaza acel chain.
>>
>>Si inca o data, -A inseamna append, nu "append if you don't find another
>>similar rule". Punct.
>>
>>Radu Anghel wrote:
>>
>>
>>
>>>in cazul asta la tine toate regulile se termina cu -j LOG/RETURN?
>>>nu toate regulile sunt "non-terminating"
>>>daca pui 2 reguli cu -j LOG o sa matchuiasca pe amandoua
>>>daca pui 2 reguli cu -j ACCEPT o sa matchuiasca doar prima
>>>oricum nu vad utilitatea unui -j LOG pus de 2 ori in acelasi chain decat
>>>daca vrei sa vezi acelasi mesaj de 2 ori.
>>>
>>>LOG
>>>Turn on kernel logging of matching packets. When this option is set
>>>for a rule, the Linux kernel will print some information on all match-
>>>ing packets (like most IP header fields) via the kernel log (where it
>>>can be read with dmesg or syslogd(8)). This is a "non-terminating tar-
>>>get", i.e. rule traversal continues at the next rule. So if you want
>>>to LOG the packets you refuse, use two separate rules with the same
>>>matching criteria, first using target LOG then DROP (or REJECT).
>>>
>>>
>>>
>>>On Tue, 2004-02-24 at 14:52, Alin Nastac wrote:
>>>
>>>
>>>
>>>
>>>>Nu zau? Adica toate regulile la tine se termina cu -j ACCEPT/DENY/DROP?
>>>>
>>>>Radu Anghel wrote:
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>daca in acelasi chain ai aceeasi regula pusa de 2 sau mai multe ori nu o
>>>>>sa faca match decat pe prima -> restul sunt inutile
>>>>>
>>>>>On Tue, 2004-02-24 at 14:43, Alin Nastac wrote:
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>Si eu cind o sa-ti spun ca iptables nu se da drept mai destept decit
>>>>>>administratorul, cum crezi ca sint?
>>>>>>De unde pina unde nu am voie sa am 2 sau mai multe reguli identice
>>>>>>intr-un chain?
>>>>>>
>>>>>>Radu Radoveneanu wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>>Alin Nastac said:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>>hahaha... ar putea sa-ti zica eventual RTFM!!!
>>>>>>>>
>>>>>>>>ca intotdeauna intr-un lant, pozitia e f. importanta; nu vad cum ar
>>>>>>>>trebui sa-ti interpreteze prostia asta de comanda altfel decit ceea ce
>>>>>>>>inseamna -A: "adauga regula asta la sfirsitul chain-ului".
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>super tare mosule, ce sa zic, m-ai dat peste cap
>>>>>>>eventual daca o sa spun ca -A era un exemplu si ca eu doresc sa-mi dea o
>>>>>>>eroare cand vreau sa adaug o regula deja existenta o sa-mi spui ca sunt
>>>>>>>dobitoc si sa-mi dai si doua palme nu ?
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>---
>>>>>>Detalii despre listele noastre de mail: http://www.lug.ro/
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>-- Attached file included as plaintext by Ecartis --
>>>>>-- File: signature.asc
>>>>>-- Desc: This is a digitally signed message part
>>>>>
>>>>>-----BEGIN PGP SIGNATURE-----
>>>>>Version: GnuPG v1.2.4 (GNU/Linux)
>>>>>
>>>>>iD8DBQBAO0hkzEN+vLL1CukRAm5IAJ4t758wDU93NYFJ36mPQ5I2VPFFuQCdEcKl
>>>>>I6RWKrpJYVsrwloLNU87oJw=
>>>>>=5gdC
>>>>>-----END PGP SIGNATURE-----
>>>>>
>>>>>
>>>>>
>>>>>---
>>>>>Detalii despre listele noastre de mail: http://www.lug.ro/
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>---
>>>>Detalii despre listele noastre de mail: http://www.lug.ro/
>>>>
>>>>
>>>>
>>>>
>>>>
>>>-- Attached file included as plaintext by Ecartis --
>>>-- File: signature.asc
>>>-- Desc: This is a digitally signed message part
>>>
>>>-----BEGIN PGP SIGNATURE-----
>>>Version: GnuPG v1.2.4 (GNU/Linux)
>>>
>>>iD8DBQBAO0w4zEN+vLL1CukRAkgqAJ4v4DcWlzwn1kuGeG2M+J9cAtrlTQCgiWlG
>>>C+kR3W3yas9G7JKem5GovPg=
>>>=bKmy
>>>-----END PGP SIGNATURE-----
>>>
>>>
>>>
>>>---
>>>Detalii despre listele noastre de mail: http://www.lug.ro/
>>>
>>>
>>>
>>>
>>>
>>>
>>
>>---
>>Detalii despre listele noastre de mail: http://www.lug.ro/
>>
>>
>>
>
>-- Attached file included as plaintext by Ecartis --
>-- File: signature.asc
>-- Desc: This is a digitally signed message part
>
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.2.4 (GNU/Linux)
>
>iD8DBQBAO1GHzEN+vLL1CukRAlMqAKCTvD03dObtSPNeYaXEJQat27in2wCeOFGU
>pUVUwkpisCGOQ+LepBJe7Kw=
>=6lg1
>-----END PGP SIGNATURE-----
>
>
>
>---
>Detalii despre listele noastre de mail: http://www.lug.ro/
>
>
>
>
---
Detalii despre listele noastre de mail: http://www.lug.ro/
