> Migrating like that is a bit insane IMO [you wouldn't want to do a
> straight 1 to 1 migration, otherwise you don't gain any of netfilter's
> real benefits] - and that really wouldn't be the point of me giving
> such a talk - there is theory behind all this madness, as well as some
> general good/bads. [one such bad which is far too popular is blocking
> all ICMP. Can we *PLEASE* stop doing that?]
which is why he discusses it as per solutions...
ie.
he doesn't answer the Qs like "i have ipchains -p TCP etc.etc. in my
chain-config, what's the netfilter equivalent?"
instead he answers Qs like "i want a NAT box. how do i this in netfilter?"
or "i want to block forwarded packets to this IP address. how do i do this
in netfilter?"
your right though. you definately need to adjust the way you approach
filtering when migrating from ipchains -> netfilter.
BTW: for those that care, the most important point is the way the chains
work. my understanding of the situation is thus:
for ipchains:
---> in ----> INPUT ---> FORWARD ---> out --->
| /\
\/ |
system ---> OUTPUT
for netfilter:
---> in ---> INPUT ---> system ---> OUTPUT ---> out --->
\ /
---------------->FORWARD ---------->-----
ie. you now have some sanity in the rules. packets only traverse a single
default chain depending on where they are headed. so you can change the
forwarding filter rules without affecting packets heading out of the
system and you can change the inbound rules without affecting the
forwarding...
please slap me around a bit if i have this wrong.
later
marty
--
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug
