- verificarea va consuma timp doar in momentul in care apenduiesti/inserezi regula nu si cand un pachet va trece prin chainul ala deci nu cred ca ar fi o mare tragedie - este util sa verifici orice greseala (daca e rgeseala) - ce regula ar avea sens sa fie repetata de 2 sau mai multe ori in acelasi chain? una de crescut/scazut TTL-ul? mai bine l-ar creste/scadea cu 2/x din prima...
On Tue, 2004-02-24 at 15:38, Alin Nastac wrote: > Atunci mergi la baietii care au facut iptables-ul si zi-le parerea ta. > > Inca o data: > - aceasta verificare consuma timp, timp care creste exponential cu > dimensiunea chain-ului. > - este inutil sa verifici o greseala (daca e greseala) atit de > minora cita vreme cei care gresesc fac cu totul alt gen de greseli, > greseli nedetectabile de catre iptables > - iptables este un utilitar, poate prea timpit dupa parerea ta (in > acest caz, cred ca e mai bine sa studiezi celelate produse de pe piata); > cel care seteaza chain-urile este administratorul > - faptul ca (probabil) nu exista (inca) regula care sa aiba sens > duplicarea ei, nu inseamna ca nu va exista vreodata; iptables-ul este > total deschis la orice porcarii iti trece prin minte vis-a-vis de > pachetele care-ti traverseaza ruterul > > Radu Anghel wrote: > > >si cu ce te ajuta acea regula non-terminala daca 2 randuri mai jos va > >face acelasi lucru? > >sunt si eu de parere ca iptablesul ar trebui sa primeasca eroare de la > >kernel cand vrei sa apendezi/inserezi o regula identica cu una existenta > >si sa-ti zica ba gigele regula aia exista deja si daca nu-ti place > >pozitionarea ei in chain da-i cu -D si pune-o mai sus/jos cum iti place > >tie. > > > > > >On Tue, 2004-02-24 at 15:21, Alin Nastac wrote: > > > > > >>Ce legatura are LOG-ul cu libertatea mea de a avea mai multe reguli > >>identice? Sint alte zeci de tipuri reguli non-terminale, incluzind cele > >>fara -j. > >>Oi fi si tu de parere ca iptables-ul ar trebui sa-mi dea peste mina > >>atunci cind vreau sa apendez a doua regula identica cu una existenta! > >> > >>Nu mai vorbesc de supraincarcarea evidenta atunci cind creezi chain-uri > >>cu sute/mii de reguli, doar pt ca tie iti place ca iptables-ul sa faca o > >>verificare de 2 lei si 15 bani! Greselile care le fac administratorii > >>sint departe de a fi atit de simple; in domeniul asta, iptables-ul nu > >>poate sa ajute cu nimic, fiind un domeniu rezervat cunostintelor celui > >>care seteaza acel chain. > >> > >>Si inca o data, -A inseamna append, nu "append if you don't find another > >>similar rule". Punct. > >> > >>Radu Anghel wrote: > >> > >> > >> > >>>in cazul asta la tine toate regulile se termina cu -j LOG/RETURN? > >>>nu toate regulile sunt "non-terminating" > >>>daca pui 2 reguli cu -j LOG o sa matchuiasca pe amandoua > >>>daca pui 2 reguli cu -j ACCEPT o sa matchuiasca doar prima > >>>oricum nu vad utilitatea unui -j LOG pus de 2 ori in acelasi chain decat > >>>daca vrei sa vezi acelasi mesaj de 2 ori. > >>> > >>>LOG > >>>Turn on kernel logging of matching packets. When this option is set > >>>for a rule, the Linux kernel will print some information on all match- > >>>ing packets (like most IP header fields) via the kernel log (where it > >>>can be read with dmesg or syslogd(8)). This is a "non-terminating tar- > >>>get", i.e. rule traversal continues at the next rule. So if you want > >>>to LOG the packets you refuse, use two separate rules with the same > >>>matching criteria, first using target LOG then DROP (or REJECT). > >>> > >>> > >>> > >>>On Tue, 2004-02-24 at 14:52, Alin Nastac wrote: > >>> > >>> > >>> > >>> > >>>>Nu zau? Adica toate regulile la tine se termina cu -j ACCEPT/DENY/DROP? > >>>> > >>>>Radu Anghel wrote: > >>>> > >>>> > >>>> > >>>> > >>>> > >>>>>daca in acelasi chain ai aceeasi regula pusa de 2 sau mai multe ori nu o > >>>>>sa faca match decat pe prima -> restul sunt inutile > >>>>> > >>>>>On Tue, 2004-02-24 at 14:43, Alin Nastac wrote: > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > >>>>>>Si eu cind o sa-ti spun ca iptables nu se da drept mai destept decit > >>>>>>administratorul, cum crezi ca sint? > >>>>>>De unde pina unde nu am voie sa am 2 sau mai multe reguli identice > >>>>>>intr-un chain? > >>>>>> > >>>>>>Radu Radoveneanu wrote: > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>>>Alin Nastac said: > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>>>hahaha... ar putea sa-ti zica eventual RTFM!!! > >>>>>>>> > >>>>>>>>ca intotdeauna intr-un lant, pozitia e f. importanta; nu vad cum ar > >>>>>>>>trebui sa-ti interpreteze prostia asta de comanda altfel decit ceea ce > >>>>>>>>inseamna -A: "adauga regula asta la sfirsitul chain-ului". > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>super tare mosule, ce sa zic, m-ai dat peste cap > >>>>>>>eventual daca o sa spun ca -A era un exemplu si ca eu doresc sa-mi dea o > >>>>>>>eroare cand vreau sa adaug o regula deja existenta o sa-mi spui ca sunt > >>>>>>>dobitoc si sa-mi dai si doua palme nu ? > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>--- > >>>>>>Detalii despre listele noastre de mail: http://www.lug.ro/ > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>-- Attached file included as plaintext by Ecartis -- > >>>>>-- File: signature.asc > >>>>>-- Desc: This is a digitally signed message part > >>>>> > >>>>>-----BEGIN PGP SIGNATURE----- > >>>>>Version: GnuPG v1.2.4 (GNU/Linux) > >>>>> > >>>>>iD8DBQBAO0hkzEN+vLL1CukRAm5IAJ4t758wDU93NYFJ36mPQ5I2VPFFuQCdEcKl > >>>>>I6RWKrpJYVsrwloLNU87oJw= > >>>>>=5gdC > >>>>>-----END PGP SIGNATURE----- > >>>>> > >>>>> > >>>>> > >>>>>--- > >>>>>Detalii despre listele noastre de mail: http://www.lug.ro/ > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > >>>>--- > >>>>Detalii despre listele noastre de mail: http://www.lug.ro/ > >>>> > >>>> > >>>> > >>>> > >>>> > >>>-- Attached file included as plaintext by Ecartis -- > >>>-- File: signature.asc > >>>-- Desc: This is a digitally signed message part > >>> > >>>-----BEGIN PGP SIGNATURE----- > >>>Version: GnuPG v1.2.4 (GNU/Linux) > >>> > >>>iD8DBQBAO0w4zEN+vLL1CukRAkgqAJ4v4DcWlzwn1kuGeG2M+J9cAtrlTQCgiWlG > >>>C+kR3W3yas9G7JKem5GovPg= > >>>=bKmy > >>>-----END PGP SIGNATURE----- > >>> > >>> > >>> > >>>--- > >>>Detalii despre listele noastre de mail: http://www.lug.ro/ > >>> > >>> > >>> > >>> > >>> > >>> > >> > >>--- > >>Detalii despre listele noastre de mail: http://www.lug.ro/ > >> > >> > >> > > > >-- Attached file included as plaintext by Ecartis -- > >-- File: signature.asc > >-- Desc: This is a digitally signed message part > > > >-----BEGIN PGP SIGNATURE----- > >Version: GnuPG v1.2.4 (GNU/Linux) > > > >iD8DBQBAO1GHzEN+vLL1CukRAlMqAKCTvD03dObtSPNeYaXEJQat27in2wCeOFGU > >pUVUwkpisCGOQ+LepBJe7Kw= > >=6lg1 > >-----END PGP SIGNATURE----- > > > > > > > >--- > >Detalii despre listele noastre de mail: http://www.lug.ro/ > > > > > > > > > > > > --- > Detalii despre listele noastre de mail: http://www.lug.ro/ > -- Attached file included as plaintext by Ecartis -- -- File: signature.asc -- Desc: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQBAO1XFzEN+vLL1CukRAlnMAJ9EjA76ImH0EzvKlSK4owXO6fAaYwCgueA0 QLmL9013a4MMk2+0zJOoD1Q= =9B8m -----END PGP SIGNATURE----- --- Detalii despre listele noastre de mail: http://www.lug.ro/
