Re: [gentoo-user] Re: problems merging python packages
On Tue, 21 May 2013 02:42:08 +0200, Tamer Higazi wrote: walt, I am just confused because the entire system is totally unstable and I need to update it Your original post mentioned a failure on just one package. If there is a deeper problem you need to tell us about it. -- Neil Bothwick 667 - The FAX number of the beast signature.asc Description: PGP signature
Re: [gentoo-user] howto on setting up rootfs on ZFS?
On Mon, May 20, 2013 at 4:36 PM, Neil Bothwick n...@digimed.co.uk wrote: Look at the modules link on the Rescue CD pages, it has a link to a ZFS module file. This includes a script to rebuild the ISO including the ZFS modules, I've used it several times with success, the only thing the documentation fails to mention is that after booting the CD, you have to run depmod -a before you can use the ZFS modules. This is perfect! Thank you -- Douglas J Hunley (doug.hun...@gmail.com) Twitter: @hunleyd Web: douglasjhunley.com G+: http://goo.gl/sajR3
Re: [gentoo-user] Seamonkey and path to internet
On Mon, 20 May 2013 21:36:07 -0500 Dale rdalek1...@gmail.com wrote: Adam Carter wrote: What is the path that Seamonkey takes to get to the internet? The path is determined by the proxy settings. If there's no proxy configured its just straight out. Sounds like a bug to me. Under proxies, I have direct connection checked. I forgot to mention that even tho I checked it to make sure how it was set up. I hope this is something besides a bug since it affects both versions in the tree. :-? Dale :-) :-) -- I am only responsible for what I said ... Not for what you understood or how you interpreted my words! if it's affecting both versions, then it's a bug. Very rarely will you see both showing the same problem and that does indicate something is badly screwed up somewhere.
[gentoo-user] IPTables - Going Stateless
Hello Everyone, We recently moved our stateful firewall inside, and would like to strip down the firewall at our router connected to the outside world. The problem I am experiencing is getting things to work properly without connection tracking. I hope I am not in breach of mailing list rules however, a stripped down configuration is as follows: #!/bin/bash IPTABLES='/sbin/iptables' #Set interface values INTIF1='eth0' #flush rules and delete chains $IPTABLES -F $IPTABLES -X #echo -e- Accepting input lo traffic $IPTABLES -A INPUT -i lo -j ACCEPT #echo -e- Accepting output lo traffic $IPTABLES -A OUTPUT -o lo -j ACCEPT #echo -e- Defined Chains $IPTABLES -N TCP $IPTABLES -N UDP #echo -e- Accepting SSH Traffic $IPTABLES -A TCP -p tcp -m tcp -s 192.168.2.0/24 -d 192.168.2.5 --dport 22 -j ACCEPT $IPTABLES -A TCP -p tcp -m tcp -s 0.0.0.0/0 -d 192.168.2.5 --dport 22 -j DROP #echo -e- Accepting input TCP and UDP traffic to open ports $IPTABLES -A INPUT -i $INTIF1 -p tcp --syn -j TCP $IPTABLES -A INPUT -i $INTIF1 -p udp -j UDP #echo -e- Accepting output TCP and UDP traffic to open ports $IPTABLES -A OUTPUT -o $INTIF1 -p tcp --syn -j TCP $IPTABLES -A OUTPUT -o $INTIF1 -p udp -j UDP #echo -e- Dropping input TCP and UDP traffic to closed ports # $IPTABLES -A INPUT -i $INTIF1 -p tcp -j REJECT --reject-with tcp-rst # $IPTABLES -A INPUT -i $INTIF1 -p udp -j REJECT --reject-with icmp-port-unreachable #echo -e- Dropping output TCP and UDP traffic to closed ports # $IPTABLES -A OUTPUT -o $INTIF1 -p tcp -j REJECT --reject-with tcp-rst # $IPTABLES -A OUTPUT -o $INTIF1 -p udp -j REJECT --reject-with icmp-port-unreachable #echo -e- Dropping input traffic to remaining protocols sent to closed ports # $IPTABLES -A INPUT -i $INTIF1 -j REJECT --reject-with icmp-proto-unreachable #echo -e- Dropping output traffic to remaining protocols sent to closed ports # $IPTABLES -A OUTPUT -o $INTIF1 -j REJECT --reject-with icmp-proto-unreachable Everything works fine with the REJECT rules commented out, but when included SSH access is blocked out. Not sure why, isn't the sequence correct (i.e., the ACCPET entries before the DROP and REJECT)? Also, any pointers or heads up when going stateless would be greatly appreciated. Kind Regards, Nick
[gentoo-user] Re: [gentoo-user] IPTables - Going Stateless
Вторник, 21 мая 2013, 11:07 -04:00 от Nick Khamis sym...@gmail.com: Hello Everyone, We recently moved our stateful firewall inside, and would like to strip down the firewall at our router connected to the outside world. The problem I am experiencing is getting things to work properly without connection tracking. I hope I am not in breach of mailing list rules however, a stripped down configuration is as follows: #!/bin/bash IPTABLES='/sbin/iptables' #Set interface values INTIF1='eth0' #flush rules and delete chains $IPTABLES -F $IPTABLES -X #echo -e- Accepting input lo traffic $IPTABLES -A INPUT -i lo -j ACCEPT #echo -e- Accepting output lo traffic $IPTABLES -A OUTPUT -o lo -j ACCEPT #echo -e- Defined Chains $IPTABLES -N TCP $IPTABLES -N UDP #echo -e- Accepting SSH Traffic $IPTABLES -A TCP -p tcp -m tcp -s 192.168.2.0/24 -d 192.168.2.5 --dport 22 -j ACCEPT $IPTABLES -A TCP -p tcp -m tcp -s 0.0.0.0/0 -d 192.168.2.5 --dport 22 -j DROP #echo -e- Accepting input TCP and UDP traffic to open ports $IPTABLES -A INPUT -i $INTIF1 -p tcp --syn -j TCP $IPTABLES -A INPUT -i $INTIF1 -p udp -j UDP #echo -e- Accepting output TCP and UDP traffic to open ports $IPTABLES -A OUTPUT -o $INTIF1 -p tcp --syn -j TCP $IPTABLES -A OUTPUT -o $INTIF1 -p udp -j UDP #echo -e- Dropping input TCP and UDP traffic to closed ports # $IPTABLES -A INPUT -i $INTIF1 -p tcp -j REJECT --reject-with tcp-rst # $IPTABLES -A INPUT -i $INTIF1 -p udp -j REJECT --reject-with icmp-port-unreachable #echo -e- Dropping output TCP and UDP traffic to closed ports # $IPTABLES -A OUTPUT -o $INTIF1 -p tcp -j REJECT --reject-with tcp-rst # $IPTABLES -A OUTPUT -o $INTIF1 -p udp -j REJECT --reject-with icmp-port-unreachable #echo -e- Dropping input traffic to remaining protocols sent to closed ports # $IPTABLES -A INPUT -i $INTIF1 -j REJECT --reject-with icmp-proto-unreachable #echo -e- Dropping output traffic to remaining protocols sent to closed ports # $IPTABLES -A OUTPUT -o $INTIF1 -j REJECT --reject-with icmp-proto-unreachable Everything works fine with the REJECT rules commented out, but when included SSH access is blocked out. Not sure why, isn't the sequence correct (i.e., the ACCPET entries before the DROP and REJECT)? Also, any pointers or heads up when going stateless would be greatly appreciated. Kind Regards, Nick Looks like the packet never gets to the tcp chain. what is --syn?
[gentoo-user] Re: IPTables - Going Stateless
For testing purposes I changed the ssh rule to: -A TCP -p tcp -m tcp --dport 22 -j ACCEPT -A TCP -p tcp -m tcp -s 0.0.0.0/0 -d 192.168.2.5 --dport 22 -j DROP And still no go. As mentioned before, everything works fine until I try to close up the rest of the ports not opened up in the chains UDP and TCP stated above: #echo -e- Dropping input TCP and UDP traffic to closed ports -A INPUT -i $INTIF1 -p tcp -j REJECT --reject-with tcp-rst -A INPUT -i $INTIF1 -p udp -j REJECT --reject-with icmp-port-unreachable #echo -e- Dropping output TCP and UDP traffic to closed ports -A OUTPUT -o $INTIF1 -p tcp -j REJECT --reject-with tcp-rst -A OUTPUT -o $INTIF1 -p udp -j REJECT --reject-with icmp-port-unreachable #echo -e- Dropping input traffic to remaining protocols sent to closed ports -A INPUT -i $INTIF1 -j REJECT --reject-with icmp-proto-unreachable #echo -e- Dropping output traffic to remaining protocols sent to closed ports -A OUTPUT -o $INTIF1 -j REJECT --reject-with icmp-proto-unreachable That is when I cannot SSH over to the server. N.
Re: [gentoo-user] Seamonkey and path to internet
On Tue, 21 May 2013 07:45:28 -0700, Fast Turtle wrote: Under proxies, I have direct connection checked. I forgot to mention that even tho I checked it to make sure how it was set up. I hope this is something besides a bug since it affects both versions in the tree. :-? if it's affecting both versions, then it's a bug. Very rarely will you see both showing the same problem and that does indicate something is badly screwed up somewhere. Yes, but it may not be a bug, Sale could have a broken configuration. Dale, have you tried with a new user or vanilla config? -- Neil Bothwick Why do they call it a TV set when you only get one? signature.asc Description: PGP signature
Re: [gentoo-user] Re: [gentoo-user] IPTables - Going Stateless
Looks like the packet never gets to the tcp chain. what is --syn? It seems that way I am not sure what --syn is actually. But even if I comment it out it does not work. Also, for testing I changed the SSH rule to allow bidirectional traffic until this is fixed: -A TCP -p tcp -m tcp --dport 22 -j ACCEPT As mentioned before everything works as expected until when I try to close up the ports not included in the TCP and UDP chains: #echo -e- Dropping input TCP and UDP traffic to closed ports -A INPUT -i $INTIF1 -p tcp -j REJECT --reject-with tcp-rst -A INPUT -i $INTIF1 -p udp -j REJECT --reject-with icmp-port-unreachable #echo -e- Dropping output TCP and UDP traffic to closed ports -A OUTPUT -o $INTIF1 -p tcp -j REJECT --reject-with tcp-rst -A OUTPUT -o $INTIF1 -p udp -j REJECT --reject-with icmp-port-unreachable #echo -e- Dropping input traffic to remaining protocols sent to closed ports -A INPUT -i $INTIF1 -j REJECT --reject-with icmp-proto-unreachable #echo -e- Dropping output traffic to remaining protocols sent to closed ports -A OUTPUT -o $INTIF1 -j REJECT --reject-with icmp-proto-unreachable Thanks in Advance, Nick.
Re: [gentoo-user] IPTables - Going Stateless
On 21/05/2013 17:07, Nick Khamis wrote: Hello Everyone, We recently moved our stateful firewall inside, and would like to strip down the firewall at our router connected to the outside world. The problem I am experiencing is getting things to work properly without connection tracking. Now why, oh why, do you want to do that? A world of pain awaits you. Stateless firewalls are a colossal mindfuck that will drive you crazy. So unless you have a very very good reason for doing this I recommedn you seriously revisit your choice. iptables really does not consume that much resources (and if you truly are low on resources then you need to get a bigger router, because after all it is a router and I assume in production) I hope I am not in breach of mailing list rules however, a stripped down configuration is as follows: #!/bin/bash IPTABLES='/sbin/iptables' #Set interface values INTIF1='eth0' #flush rules and delete chains $IPTABLES -F $IPTABLES -X #echo -e- Accepting input lo traffic $IPTABLES -A INPUT -i lo -j ACCEPT #echo -e- Accepting output lo traffic $IPTABLES -A OUTPUT -o lo -j ACCEPT #echo -e- Defined Chains $IPTABLES -N TCP $IPTABLES -N UDP #echo -e- Accepting SSH Traffic $IPTABLES -A TCP -p tcp -m tcp -s 192.168.2.0/24 -d 192.168.2.5 --dport 22 -j ACCEPT $IPTABLES -A TCP -p tcp -m tcp -s 0.0.0.0/0 -d 192.168.2.5 --dport 22 -j DROP #echo -e- Accepting input TCP and UDP traffic to open ports $IPTABLES -A INPUT -i $INTIF1 -p tcp --syn -j TCP $IPTABLES -A INPUT -i $INTIF1 -p udp -j UDP #echo -e- Accepting output TCP and UDP traffic to open ports $IPTABLES -A OUTPUT -o $INTIF1 -p tcp --syn -j TCP $IPTABLES -A OUTPUT -o $INTIF1 -p udp -j UDP #echo -e- Dropping input TCP and UDP traffic to closed ports # $IPTABLES -A INPUT -i $INTIF1 -p tcp -j REJECT --reject-with tcp-rst # $IPTABLES -A INPUT -i $INTIF1 -p udp -j REJECT --reject-with icmp-port-unreachable #echo -e- Dropping output TCP and UDP traffic to closed ports # $IPTABLES -A OUTPUT -o $INTIF1 -p tcp -j REJECT --reject-with tcp-rst # $IPTABLES -A OUTPUT -o $INTIF1 -p udp -j REJECT --reject-with icmp-port-unreachable #echo -e- Dropping input traffic to remaining protocols sent to closed ports # $IPTABLES -A INPUT -i $INTIF1 -j REJECT --reject-with icmp-proto-unreachable #echo -e- Dropping output traffic to remaining protocols sent to closed ports # $IPTABLES -A OUTPUT -o $INTIF1 -j REJECT --reject-with icmp-proto-unreachable Everything works fine with the REJECT rules commented out, but when included SSH access is blocked out. Not sure why, isn't the sequence correct (i.e., the ACCPET entries before the DROP and REJECT)? Also, any pointers or heads up when going stateless would be greatly appreciated. Kind Regards, Nick -- Alan McKinnon alan.mckin...@gmail.com
Re: [gentoo-user] Re: IPTables - Going Stateless
On 21/05/2013 18:01, Nick Khamis wrote: For testing purposes I changed the ssh rule to: -A TCP -p tcp -m tcp --dport 22 -j ACCEPT -A TCP -p tcp -m tcp -s 0.0.0.0/0 -d 192.168.2.5 --dport 22 -j DROP And still no go. As mentioned before, everything works fine until I try to close up the rest of the ports not opened up in the chains UDP and TCP stated above: #echo -e- Dropping input TCP and UDP traffic to closed ports -A INPUT -i $INTIF1 -p tcp -j REJECT --reject-with tcp-rst -A INPUT -i $INTIF1 -p udp -j REJECT --reject-with icmp-port-unreachable #echo -e- Dropping output TCP and UDP traffic to closed ports -A OUTPUT -o $INTIF1 -p tcp -j REJECT --reject-with tcp-rst -A OUTPUT -o $INTIF1 -p udp -j REJECT --reject-with icmp-port-unreachable #echo -e- Dropping input traffic to remaining protocols sent to closed ports -A INPUT -i $INTIF1 -j REJECT --reject-with icmp-proto-unreachable #echo -e- Dropping output traffic to remaining protocols sent to closed ports -A OUTPUT -o $INTIF1 -j REJECT --reject-with icmp-proto-unreachable That is when I cannot SSH over to the server. Now you are feeling the pain. Drive to where the router is and fix it on the console then put conntrack back. -- Alan McKinnon alan.mckin...@gmail.com
Re: [gentoo-user] IPTables - Going Stateless
Hello Everyone, Thank you so much for your responses. I agree Alan, total pain in the neck!!! But it's a ticket that was passed down to me. We moved the stateful firewalls inside the network, broken down to each department. But as a first on site defense on our BGP router running Quagga, we only require stateless for performance reasons. Jerry, thank you so much! I might need some additional help with the three way handsahkes. What I did to stay scalable was: Define a chain: -N TCP Handle two way for a specific service: -A TCP -p tcp -m tcp -s 192.168.2.0/24 -d 192.168.2.5 --dport 22 -j ACCEPT -A TCP -p tcp -m tcp -s 192.168.2.5 --sport 22 -d 192.168.2.0/24 -j ACCEPT -A TCP -p tcp -m tcp -s 0.0.0.0/0 -d 192.168.2.5 --dport 22 -j DROP Accepting Input and output requests to services included in the chain: #echo -e- Accepting input TCP traffic to open ports -A INPUT -i $INTIF1 -p tcp -j TCP #echo -e- Accepting output TCP traffic to open ports -A OUTPUT -o $INTIF1 -p tcp -j TCP Dropping Everything Else: #echo -e- Dropping input TCP to closed ports $IPTABLES -A INPUT -i $INTIF1 -p tcp -j REJECT --reject-with tcp-rst #echo -e- Dropping output TCP traffic to closed ports $IPTABLES -A OUTPUT -o $INTIF1 -p tcp -j REJECT --reject-with tcp-rst #echo -e- Dropping input traffic to remaining protocols sent to closed ports $IPTABLES -A INPUT -i $INTIF1 -j REJECT --reject-with icmp-proto-unreachable #echo -e- Dropping output traffic to remaining protocols sent to closed ports $IPTABLES -A OUTPUT -o $INTIF1 -j REJECT --reject-with icmp-proto-unreachable Hope this keeps me scalable enough to keep the world of pain at bay as much as possible... N.
[gentoo-user] Re: IPTables - Going Stateless
Neal, As for the --sport flag for OUTPUT, should it not be left arbitrary? The SSH daemon should use unprivileged ports between 1024 and 65535. The only daemon I know thus far that does not is NTP which is hardwired to 123 both ways. Thanks Guys, Nick.
Re: [gentoo-user] Seamonkey and path to internet
Neil Bothwick wrote: On Tue, 21 May 2013 07:45:28 -0700, Fast Turtle wrote: Under proxies, I have direct connection checked. I forgot to mention that even tho I checked it to make sure how it was set up. I hope this is something besides a bug since it affects both versions in the tree. :-? if it's affecting both versions, then it's a bug. Very rarely will you see both showing the same problem and that does indicate something is badly screwed up somewhere. Yes, but it may not be a bug, Sale could have a broken configuration. Dale, have you tried with a new user or vanilla config? I thought about renaming my config to *.old and trying that. Thing is, I have YEARS worth of emails on here that I don't want to lose or anything. I will say this, it worked fine with the old version UNTIL I did the upgrade. I sort of think it is something under Seamonkey that got updated but don't know what that is. Maybe some network package or something like that. I may experiment with that later on tho. I'll make a nice and shiney new set of backups first tho. Dale :-) :-) -- I am only responsible for what I said ... Not for what you understood or how you interpreted my words!
Re: [gentoo-user] Seamonkey and path to internet
On Tue, 21 May 2013 12:09:41 -0500, Dale wrote: I thought about renaming my config to *.old and trying that. Thing is, I have YEARS worth of emails on here that I don't want to lose or anything. Create another user and see how it works for them. That way your config stays untouched. I will say this, it worked fine with the old version UNTIL I did the upgrade. I sort of think it is something under Seamonkey that got updated but don't know what that is. Maybe some network package or something like that.g That sounds reasonable, time to start poring over the output of {q,gen}lop -l -- Neil Bothwick I can picture in my mind a world without war, a world without hate. And I can picture us attacking that world, because they'd never expect it. signature.asc Description: PGP signature
Re: [gentoo-user] Seamonkey and path to internet
Neil Bothwick wrote: On Tue, 21 May 2013 12:09:41 -0500, Dale wrote: I thought about renaming my config to *.old and trying that. Thing is, I have YEARS worth of emails on here that I don't want to lose or anything. Create another user and see how it works for them. That way your config stays untouched. I have a test user for KDE. May give that a try. I think I can login as it and let it sit while I use my primary user too. I'm on my puter to much to stay logged off for long. Plus we got storms headed this way and they have had major tornadoes out of it so I ain't staying away from the radar long for sure now. I will say this, it worked fine with the old version UNTIL I did the upgrade. I sort of think it is something under Seamonkey that got updated but don't know what that is. Maybe some network package or something like that.g That sounds reasonable, time to start poring over the output of {q,gen}lop -l I wish I had done that BEFORE I did the emerge -e world. I also wish I had made a note of the date it first did it too. Dang that hindsight. ;-) Dale :-) :-) -- I am only responsible for what I said ... Not for what you understood or how you interpreted my words!
Re: [gentoo-user] Seamonkey and path to internet
On 05/20/2013 07:08 PM, Dale wrote: Howdy, I noticed over the past few weeks a interesting issue. When I leave Seamonkey open for several hours, it looses its connection to the internet. If I open Firefox, it works fine. I can ping in a Konsole too. In Seamonkey tho, not even a simple page like google will work. If I close Seamonkey and then restart it, it works fine. I don't have to log out of KDE or anything either. Just restart Seamonkey and it works for a few more hours. Also, it affects both browser and email. Try visiting an IP address instead of a hostname. There's an internal DNS cache; if that's what's stopped working you can turn it off with http://kb.mozillazine.org/Network.dnsCacheExpiration in about:config. And hopefully that avoids the lookup entirely.
Re: [gentoo-user] Seamonkey and path to internet
Michael Orlitzky wrote: On 05/20/2013 07:08 PM, Dale wrote: Howdy, I noticed over the past few weeks a interesting issue. When I leave Seamonkey open for several hours, it looses its connection to the internet. If I open Firefox, it works fine. I can ping in a Konsole too. In Seamonkey tho, not even a simple page like google will work. If I close Seamonkey and then restart it, it works fine. I don't have to log out of KDE or anything either. Just restart Seamonkey and it works for a few more hours. Also, it affects both browser and email. Try visiting an IP address instead of a hostname. There's an internal DNS cache; if that's what's stopped working you can turn it off with http://kb.mozillazine.org/Network.dnsCacheExpiration in about:config. And hopefully that avoids the lookup entirely. Dang, that thing was set to like forever. Default according to your link was supposed to be like 60 or something. Mine was set to over 250,000. O_O Maybe that will fix this thing. I seem to recall it would have looking up at the bottom. The is whatever website I was trying to get to. I'm not sure this is it but thanks much!! Should know pretty soon. Dale :-) :-) -- I am only responsible for what I said ... Not for what you understood or how you interpreted my words!
Re: [gentoo-user] Re: IPTables - Going Stateless
On Tue, May 21, 2013 at 12:53 PM, Nick Khamis sym...@gmail.com wrote: Neal, As for the --sport flag for OUTPUT, should it not be left arbitrary? The SSH daemon should use unprivileged ports between 1024 and 65535. The only daemon I know thus far that does not is NTP which is hardwired to 123 both ways. Most daemons send/receive on the same port on the server. The port used by the /client/ is generally random. An exception would be an FTP daemon, which uses port 20 for active mode data connections, but a random port for passive data connections. FTP is weird like that.
Re: [gentoo-user] Re: IPTables - Going Stateless
Anyone advocating stateless firewalls in 2013 deserves scrutiny. I would be asking for some evidence there is a performance issue, and that the best solution to the problem is to turn off stateful inspection.
Re: [gentoo-user] Seamonkey and path to internet
D == Dale rdalek1...@gmail.com writes: D I thought about renaming my config to *.old and trying that. Thing is, D I have YEARS worth of emails on here that I don't want to lose or anything. Start it with: seamonkey -no-remote -ProfileManager create a new profile and then start that profile. Does it still stop working? You might need to run: seamonkey -P default once after the experiment to ensure that starting seamonkey without args defaults to the original profile again. -JimC -- James Cloos cl...@jhcloos.com OpenPGP: 1024D/ED7DAEA6
Re: [gentoo-user] problems merging python packages
On 20 May 2013, at 13:54, Tamer Higazi wrote: Stupid question, but did you run emerge as root or with sudo? answer to stupid response: as a normal user you wouldn't be capable to merge anything. OF COURSE I DID IT AS ROOT! I was reluctant to reply at first, but since you haven't had any other responses in the last 24 hours, may I suggest that you: 1) re-read the stupid response and look up any words you don't understand. 2) address the concerns raised by the stupid question. 3) refrain from top-posting on this list. I might be misinterpreting your reply, and I apologise if I'm wrong, but it appears hostile or dismissive. It appears to me like you have not fully understood the question, and your response looks like you're berating staticsafe for asking it. The question is not actually stupid (although it may or may not isolate your problem in the end) - staticsafe merely asked in a modest manner. If others share my interpretation of your response (hostile, dismissive c) then it might explain why no-one else has stepped forward to assist you. Obviously no-one can be blamed for making an error in a foreign language. If this is the cause of our collective misunderstanding then I hope you'll forgive me for bringing it to your attention. Stroller.
[gentoo-user] Re: IPTables - Going Stateless
Adam Carter adamcarter3 at gmail.com writes: Anyone advocating stateless firewalls in 2013 deserves scrutiny. I would be asking for some evidence there is a performance issue, and that the best solution to the problem is to turn off stateful inspection. There are lots of tools and approaches to security. Here is something you might want to investigate further: Stateless Firewall Filters: great for fending off DDOS and such... Instead of the maginot wall (firewall router) several different security devices can be layered in a serial path to perfrom various and diffent security functions. Here is a starting point by a fairly reputable routing vendor: http://www.juniper.net/techpubs/en_US/junos12.2/topics/concept/firewall-filter-overview.html http://www.juniper.net/techpubs/software/junos-security/junos-security10.3/junos-security-swconfig-interfaces-and-routing/topic-47671.html http://www.juniper.net/techpubs/en_US/junos/topics/concept/firewall-filter-types.html James