Andy Eager was once rumoured to have said: > Certainly pretty good as far as a basic explanation goes, problem is > that masquerading is not yet up to the level of ipchains and thats what > most people want. (One IP address, masqueraded to many machines for use > with ftp, realaudio etc). I still reckon that ipchains with a 2.2 > kernel is still the simplest and most generally accepted way to do > firewalling if you want particular services masqueraded.
Actually, 2.4's NAT/Firewall code is much better than 2.2's - the behaviour is more easily traced, connection tracking integrates with both NAT and the stateful inspection system, etc. Yes, there are less protocol helpers, but this is less of a problem as people are not writing quite so many crap protocols nowadays. Similarly, now that port forwarding (ie: DNAT) is actually working in 2.4, you can usually manually redirect the services you want anyway. C. -- --==============================================-- Crossfire | This email was brought to you [EMAIL PROTECTED] | on 100% Recycled Electrons --==============================================-- -- SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
