-Original Message-
From: Dave Nebinger [mailto:[EMAIL PROTECTED]
Sent: 08 September 2005 17:42
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] Re: iptables example on Gentoo
[snip]
It does generate iptable rules, but they are customized for
shorewall's
purposes
# Generated by iptables-save v1.3.2 on Thu Sep 8 12:32:48 2005
*nat
:PREROUTING ACCEPT [34942:3100331]
:POSTROUTING ACCEPT [106864:7597940]
:OUTPUT ACCEPT [106858:7597722]
:net_dnat - [0:0]
:w1ad_masq - [0:0]
-A PREROUTING -i w1ad -j net_dnat
-A POSTROUTING -o w1ad -j w1ad_masq
-A net_dnat -p
On Thu, 8 Sep 2005 01:23:26 + (UTC), James wrote:
Why not just sit down and read the source?
I'm sure that's going to happen too. But having a
working machine with iptables/netfilter is like
having a lab-class to go with the
(theory) lecture part of the class, methinks.
So try
On Thu, 2005-09-08 at 01:34 +, James wrote:
Bryan Whitehead driver at megahappy.net writes:
Wow, that is news to me... I've always just banged out iptables rules and
then saved them...
Got anything to share? Surely a 3 nic firewall {
WAN(single IP), LAN and DMZ, with a web
Neil Bothwick neil at digimed.co.uk writes:
So try out some of the standard configurations in Shorewall. Read the
Shorewall scripts to see what they are trying to do then examine the
iptables rules they create to see how it does it. That gives you exactly
what you were asking for, a set of
OK, good point. But several folks have mentioned that shorewall is
not a one-to-one tool for straight iptables/netfilters implementations.
It has things that are not part of a raw usage of iptables/netfilters.
My goal is to learn as much about iptables/netfilters on a Gentoo X86
firewall, before
On Thu, 8 Sep 2005 16:19:53 + (UTC), James wrote:
By picking up a bunch of rules from some web site somewhere, you run
the risk of learning from bad rules (like learning HTML by picking
apart web sites). If a well known and well used program like
Shorewall generated bad rules, they'd
Dave Nebinger dnebinger at joat.com writes:
Up to now I haven't really wanted to have someone bounced from the list; but
your lack of sensitivity and generally insulting manners make you the first
obvious candidate for such a bouncing.
Ok your call, let me know.
Why do you think that
James wrote:
OK, whatever this means
Sorry to offend, but, I did not like having Shorewall or anything
else shove down my throat. The title of the email was
and is 'iptables example on Gentoo'. It a shame we had to get so
heated before folks actually started talking about
On Thursday 08 September 2005 01:23 am, James wrote:
gentuxx gentuxx at gmail.com writes:
Why not just sit down and read the source?
I'm sure that's going to happen too. But having a
working machine with iptables/netfilter is like
having a lab-class to go with the
(theory) lecture part of
I think it might be important to point out here how Shorewall
handles/uses these files. I don't use Shorewall, so I can't really
shed light on it. But these config files are really only one side of
the mirror.
Actually these files are typically the only ones you'll need to edit...
Dave Nebinger dnebinger at joat.com writes:
I think it might be important to point out here how Shorewall
handles/uses these files. I don't use Shorewall, so I can't really
shed light on it. But these config files are really only one side of
the mirror.
Sorry, I HAVE ZERO INTEREST IN
Hi,
James escreveu:
Dave Nebinger dnebinger at joat.com writes:
I think it might be important to point out here how Shorewall
handles/uses these files. I don't use Shorewall, so I can't really
shed light on it. But these config files are really only one side of
the mirror.
James schreef:
snip
(Booo) this is where the Gentooers mess their britches?
The really sad thing in this whole thread, is nobody
has even mentiond which (kernel) sources to use, what
to disable/enable and why. Is this some sort of deep secret
or is the gentoo community un_caring about
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
James wrote:
Dave Nebinger dnebinger at joat.com writes:
I think it might be important to point out here how Shorewall
handles/uses these files. I don't use Shorewall, so I can't really
shed light on it. But these config files are really only one
Rumen Yotov rumen_yotov at dir.bg writes:
IMO OpenBSD initial goal was just that - to be very secure even in it's
default install. Haven't seen such claim for Gentoo (plain).
Huh?
This release also gives provides two additional x86 LiveCD images, in
combination with the minimal and
Holly Bostick motub at planet.nl writes:
Good morning, this is the general users list. If you want the security
experts, try
gentoo-security For the discussion of security issues and fixes
gentoo-hardened For a security hardened version of Gentoo
You mean I have to go to this
gentuxx gentuxx at gmail.com writes:
I think, perhaps, you misunderstood what I was saying. My
understanding of shorewall was that it was a script (or series of
scripts) that look for the previously specified config files and do
cool stuff with the information contained in them. I was
That's all I'm going to say in the face of all this needlessly insulting
behaviour.
Holly, I have not nor do not intend to insult or constipate anyone.
Sincere apologies. However, I find this very strange that published
rulesets do not exist for iptables/netfilter, for simple and common
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
James wrote:
gentuxx gentuxx at gmail.com writes:
I think, perhaps, you misunderstood what I was saying. My
understanding of shorewall was that it was a script (or series of
scripts) that look for the previously specified config files and do
cool
James schreef:
Holly Bostick motub at planet.nl writes:
Good morning, this is the general users list. If you want the
security experts, try
gentoo-security For the discussion of security issues and fixes
gentoo-hardened For a security hardened version of Gentoo
You
As far as functionality and rule set development, I don't think there
is that much of a difference between 2.4 and 2.6. I'm sure there are
tons of cool things that go on under the hood that I don't really know
about, but the implementation is basically the same. 2.6 kernels may
offer newer
Dave Nebinger dnebinger at joat.com writes:
I know iptables/netfilter. I've worked through all of the online
documentation, I've read iptables books, I've implemented firewalls using
just iptables.
got any scripts/ files to share?
Knowing all of that information, I still suggest using a
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
James wrote:
Dave Nebinger dnebinger at joat.com writes:
BIIIG SNIP
A beautiful woman once asked why she married the mechanic
out of all the numerous suitors beckoning to her. She replied
because he torn it up on the first night, and has
gentuxx gentuxx at gmail.com writes:
Why not just sit down and read the source?
I'm sure that's going to happen too. But having a
working machine with iptables/netfilter is like
having a lab-class to go with the
(theory) lecture part of the class, methinks.
YMMV.
James
--
Bryan Whitehead driver at megahappy.net writes:
Wow, that is news to me... I've always just banged out iptables rules and
then saved them...
Got anything to share? Surely a 3 nic firewall {
WAN(single IP), LAN and DMZ, with a web server and eventually
2 dns servers on the DMZ is not really
Holly Bostick motub at planet.nl writes:
If you're trying to learn, James, there is something to be said for
Dave's position; it's not as if the config files are going to disappear
just because you used shorewall to write them with correct settings.
Following this example, I've had no
If shorewall is so easy, then just email
to me the config files for a 3 nic network, with DMZ based web server,
and only internally (LAN) initiated connections allowed, in the form
of config files, OK?
Sure, there's 5 files you'd need to set up and, as per your request, it is
limited to web
Dave Nebinger dnebinger at joat.com writes:
If shorewall is so easy, then just email
to me the config files for a 3 nic network, with DMZ based web server,
and only internally (LAN) initiated connections allowed, in the form
of config files, OK?
Sure, there's 5 files you'd need to
It's not a parade, it's what old-timers do, it's how I learn.
I started that way too (being an old-timer myself ;-)
However after consuming info available on the net and buying/reading an
iptables book, I quickly came to realize that it's quite easy to shoot
yourself in the foot with iptables.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Dave Nebinger wrote:
If shorewall is so easy, then just email
to me the config files for a 3 nic network, with DMZ based web server,
and only internally (LAN) initiated connections allowed, in the form
of config files, OK?
Sure, there's 5 files
Also check out monmotha for a good script that should handle this.
However, as others have pointed out, home brew firewall scripts,
especially with someone who admits they are lost is a recipe for
disaster. Pick something like shorewall or monmotha and modify -
carefully. There is a very good
32 matches
Mail list logo
