# Generated by iptables-save v1.3.2 on Thu Sep 8 12:32:48 2005
*nat
:PREROUTING ACCEPT [34942:3100331]
:POSTROUTING ACCEPT [106864:7597940]
:OUTPUT ACCEPT [106858:7597722]
:net_dnat - [0:0]
:w1ad_masq - [0:0]
-A PREROUTING -i w1ad -j net_dnat
-A POSTROUTING -o w1ad -j w1ad_masq
-A net_dnat -p udp
> -Original Message-
> From: Dave Nebinger [mailto:[EMAIL PROTECTED]
> Sent: 08 September 2005 17:42
> To: gentoo-user@lists.gentoo.org
> Subject: Re: [gentoo-user] Re: iptables example on Gentoo
>
[snip]
> It does generate iptable rules, but they are customiz
On Thursday 08 September 2005 01:23 am, James wrote:
> gentuxx gmail.com> writes:
> > Why not just sit down and read the source?
>
> I'm sure that's going to happen too. But having a
> working machine with iptables/netfilter is like
> having a lab-class to go with the
> (theory) lecture part of th
James wrote:
> OK, whatever this means
Sorry to offend, but, I did not like having Shorewall or anything
else shove down my throat. The title of the email was
and is 'iptables example on Gentoo'. It a shame we had to get so
heated before folks actually started talking about iptables/netfilt
Dave Nebinger joat.com> writes:
> Up to now I haven't really wanted to have someone bounced from the list; but
> your lack of sensitivity and generally insulting manners make you the first
> obvious candidate for such a bouncing.
Ok your call, let me know.
> Why do you think that iptables
On Thu, 8 Sep 2005 16:19:53 + (UTC), James wrote:
> > By picking up a bunch of rules from some web site somewhere, you run
> > the risk of learning from bad rules (like learning HTML by picking
> > apart web sites). If a well known and well used program like
> > Shorewall generated bad rules,
OK, good point. But several folks have mentioned that shorewall is
not a one-to-one tool for straight iptables/netfilters implementations.
It has things that are not part of a raw usage of iptables/netfilters.
My goal is to learn as much about iptables/netfilters on a Gentoo X86
firewall, before I
Neil Bothwick digimed.co.uk> writes:
> So try out some of the standard configurations in Shorewall. Read the
> Shorewall scripts to see what they are trying to do then examine the
> iptables rules they create to see how it does it. That gives you exactly
> what you were asking for, a set of stan
On Thu, 2005-09-08 at 01:34 +, James wrote:
> Bryan Whitehead megahappy.net> writes:
>
> >
> > Wow, that is news to me... I've always just banged out iptables rules and
> > then saved them...
>
>
> Got anything to share? Surely a 3 nic firewall {
> WAN(single IP), LAN and DMZ, with a web
On Thu, 8 Sep 2005 01:23:26 + (UTC), James wrote:
> > Why not just sit down and read the source?
>
> I'm sure that's going to happen too. But having a
> working machine with iptables/netfilter is like
> having a lab-class to go with the
> (theory) lecture part of the class, methinks.
So
Bryan Whitehead megahappy.net> writes:
>
> Wow, that is news to me... I've always just banged out iptables rules and
> then saved them...
Got anything to share? Surely a 3 nic firewall {
WAN(single IP), LAN and DMZ, with a web server and eventually
2 dns servers on the DMZ is not really a big
gentuxx gmail.com> writes:
> Why not just sit down and read the source?
I'm sure that's going to happen too. But having a
working machine with iptables/netfilter is like
having a lab-class to go with the
(theory) lecture part of the class, methinks.
YMMV.
James
--
gentoo-user@gentoo.o
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
James wrote:
>Dave Nebinger joat.com> writes:
>
>
>
> < BIIIG SNIP >
>
>
>
>A beautiful woman once asked why she married the mechanic
>out of all the numerous suitors beckoning to her. She replied
>"because he torn it up on the first night, and h
Dave Nebinger joat.com> writes:
> I know iptables/netfilter. I've worked through all of the online
> documentation, I've read iptables books, I've implemented firewalls using
> just iptables.
got any scripts/ files to share?
> Knowing all of that information, I still suggest using a tool to
> As far as functionality and rule set development, I don't think there
> is that much of a difference between 2.4 and 2.6. I'm sure there are
> tons of cool things that go on under the hood that I don't really know
> about, but the implementation is basically the same. 2.6 kernels may
> offer ne
James schreef:
> Holly Bostick planet.nl> writes:
>
>
>> Good morning, this is the general users list. If you want the
>> security experts, try
>
>
>> gentoo-security For the discussion of security issues and fixes
>> gentoo-hardened For a security hardened version of Gentoo
>
>
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
James wrote:
>gentuxx gmail.com> writes:
>
>
>
>>I think, perhaps, you misunderstood what I was saying. My
>>understanding of shorewall was that it was a script (or series of
>>scripts) that look for the previously specified config files and do
>>"co
> > That's all I'm going to say in the face of all this needlessly insulting
> > behaviour.
>
> Holly, I have not nor do not intend to insult or constipate anyone.
> Sincere apologies. However, I find this very strange that published
> rulesets do not exist for iptables/netfilter, for simple and c
gentuxx gmail.com> writes:
> I think, perhaps, you misunderstood what I was saying. My
> understanding of shorewall was that it was a script (or series of
> scripts) that look for the previously specified config files and do
> "cool stuff" with the information contained in them. I was simply
Holly Bostick planet.nl> writes:
> Good morning, this is the general users list. If you want the security
> experts, try
> gentoo-security For the discussion of security issues and fixes
> gentoo-hardened For a security hardened version of Gentoo
You mean I have to go to this group
Rumen Yotov dir.bg> writes:
> IMO OpenBSD initial goal was just that - to be very secure even in it's
> default install. Haven't seen such claim for Gentoo (plain).
Huh?
"This release also gives provides two additional x86 LiveCD images, in
combination with the minimal and universal InstallCD
> > > I think it might be important to point out here how Shorewall
> > > handles/uses these files. I don't use Shorewall, so I can't really
> > > shed light on it. But these config files are really only one side of
> > > the mirror.
>
> Sorry, I HAVE ZERO INTEREST IN A GUI, UNLESS THE RESULTIN
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
James wrote:
>Dave Nebinger joat.com> writes:
>
>
>>>I think it might be important to point out here how Shorewall
>>>handles/uses these files. I don't use Shorewall, so I can't really
>>>shed light on it. But these config files are really only one s
James schreef:
>
> (Booo)
>
>
> The really sad thing in this whole thread, is nobody
> has even mentiond which (kernel) sources to use, what
> to disable/enable and why. Is this some sort of deep secret
> or is the gentoo community un_caring about those who
> simply want to learn about iptable
Hi,
James escreveu:
Dave Nebinger joat.com> writes:
I think it might be important to point out here how Shorewall
handles/uses these files. I don't use Shorewall, so I can't really
shed light on it. But these config files are really only one side of
the mirror.
Sorry, I HAVE ZE
Dave Nebinger joat.com> writes:
> > I think it might be important to point out here how Shorewall
> > handles/uses these files. I don't use Shorewall, so I can't really
> > shed light on it. But these config files are really only one side of
> > the mirror.
Sorry, I HAVE ZERO INTEREST IN A GU
> I think it might be important to point out here how Shorewall
> handles/uses these files. I don't use Shorewall, so I can't really
> shed light on it. But these config files are really only one side of
> the mirror.
Actually these files are typically the only ones you'll need to edit...
/etc/
Also check out monmotha for a good script that should handle this.
However, as others have pointed out, home brew firewall scripts,
especially with someone who admits they are lost is a recipe for
disaster. Pick something like shorewall or monmotha and modify -
carefully. There is a very good re
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Dave Nebinger wrote:
>>If shorewall is so easy, then just email
>>to me the config files for a 3 nic network, with DMZ based web server,
>>and only internally (LAN) initiated connections allowed, in the form
>>of config files, OK?
>
>
>Sure, there's 5
> It's not a parade, it's what old-timers do, it's how I learn.
I started that way too (being an old-timer myself ;-)
However after consuming info available on the net and buying/reading an
iptables book, I quickly came to realize that it's quite easy to shoot
yourself in the foot with iptables.
Dave Nebinger joat.com> writes:
>
> > If shorewall is so easy, then just email
> > to me the config files for a 3 nic network, with DMZ based web server,
> > and only internally (LAN) initiated connections allowed, in the form
> > of config files, OK?
>
> Sure, there's 5 files you'd need to set
> If shorewall is so easy, then just email
> to me the config files for a 3 nic network, with DMZ based web server,
> and only internally (LAN) initiated connections allowed, in the form
> of config files, OK?
Sure, there's 5 files you'd need to set up and, as per your request, it is
limited to we
Holly Bostick planet.nl> writes:
> If you're trying to learn, James, there is something to be said for
> Dave's position; it's not as if the config files are going to disappear
> just because you used shorewall to write them with correct settings.
Following this example, I've had no problems, o
33 matches
Mail list logo
