Re: Starting iptables

On Wed, Oct 18, 2006 at 01:32:52PM -0500, cothrige wrote:
* dtutty@xxxxxxxxxxxxx (dtutty@xxxxxxxxxxxxx) wrote:


Interesting what you say about ipmasq. How automatic is it? I would
have assumed that it had more to do with making your machine a
gateway, which mine isn't, than firewalling itself. I am assuming
that it does both?
Yes.

The documentation is vast; its like a book. You wouldn't buy a big
book on network security and open it to the middle and expect to
know what was going on. Start at the beginning and just read it
through. Trust your brain to synthesize and develop a plan for your
situation.

I know what you mean there. I think it turned out to be something
like 550 pages, give or take. And I actually was reading it from the
beginning, but you can imagine what a task that is just to set up a
couple of rules. And I was beginning to think that it was not set up
to handle a situation as simple as mine. Of course, I was wrong.

But, this all begs the question of what Shorewall is really trying to
do. I would think that the point of these firewall tools would be to
get around the rather difficult process of figuring out iptables.
However, shorewall seems to simply replace the very archaic and tricky
iptables commands and structure with its own equally difficult
version. Why is that exactly? Couldn't somebody with that kind of
need simply take the same time and learn the very thing that Shorewall
is manipulating, i.e. iptables?

If you look at the number of lines of rules you make, and compare it to
the number of lines (pages!) of iptables rules it makes, you see that
shorewall is easier. Also the syntax is easier. Changes are far
easier. Besides, the shorewall book is the best book I've found for
understanding iptables.

My only beef with shorewall is the length of time it took my poor 486 to
process everything: 2 minutes.

I use ipmasq when I'm building the smallest system I can, only accessing
the internet for email, web browsing, and chrony. For a full-size
system, I use shorewall.

Doug.



--
To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx
with a subject of "unsubscribe". Trouble? Contact listmaster@xxxxxxxxxxxxxxxx

Relevant Pages

  • Re: Starting iptables
    ... this all begs the question of what Shorewall is really trying to ... I would think that the point of these firewall tools would be to ... get around the rather difficult process of figuring out iptables. ... To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx ...
    (Debian-User)
  • Re: Starting shorewall
    ... You also need to "chkconfig shorewall on", ... "chkconfig iptables off", ... service iptables start ...
    (Fedora)
  • Re: some reality about iptables, please
    ... > iptables directly IMHO. ... I've also used SuSE, which is great, but the same or worse than Red Hat. ... How much study does it take for me to know enough about shorewall, ... fwbuider, firestarter, etc. to know it will solve my problems, how to ...
    (Debian-User)
  • Re: some reality about iptables, please
    ... >> iptables directly IMHO. ... firewall than to use shorewall. ... > vmnet1 as a bridge to the host filesystem via samba. ...
    (Debian-User)
  • Re: Firewall - Very limited Access - suggestions
    ... >>GuardDog, Shorewall, etc. should all be considered as learning tools. ... >>substitute for writing your own iptables rules. ... Shorewall is not a GUI to use as a learning tool... ...
    (Fedora)