> Is there a recommended way to add arbitrary iptables rules to shorewall?
> I was thinking I could add them via the 'start' or 'started' extension
> scripts, but wasn't sure if that was a good idea or not? Any better
> suggestions?
My own experience is it's much better to translate the intent of all existing
IPtables rules into Shorewall rules, get them all working as desired, then
throw the old IPtables rules away completely. Why?
1) Having some rules in IPtables and other rules in Shorewall is a maintenance
nightmare when you go to change something. Where is it? How do I change it?
2) Weird problems that are at root due to conflicting IPtables and Shorewall
rules. Which one takes precedence? Why doesn't this rule work as desired?Why
does this rule work sometimes but not other times depending on which commands I
issued to get here?
3) Debugging is very difficult because Shorewall and IPtables might not do
something exactly the same way. Several common rules can be implemented more
than one way. In these cases it's normal to choose the method that is most
"syntactically convenient" in the tool being used, but sometimes that results
in different choices in IPtables and Shorewall.
4) Double training: if you get a helper, you have to teach them _both_
Shorewall and IPtables. (also two mailing lists to follow rather than just
one:-)
thanks! -Chuck Kollars
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
