firewall-init for iptables

Jan Rekorajski baggins-pld at
Sun Mar 4 15:43:10 CET 2001

[sobota, 03 marzec 2001], Jacek Konieczny napisał(a):

> I have installed 2.4.2 kernel on two machines. I wanted to check the new
> firewall-init too. I was never using old firewall-init as it wasn't good
> for using all Linux ipchains features. The new code is much better at
> this point, but I still don't like it much.
> But it is great, that configuration is split by tables/chains/protocols
> and that new chains can be defined (I don't think it was possible in old
> firewall-init).

What version did you use? It's under development so the latest and greatest
you can get from CVS (cvs co -r IPTABLES firewall-init).

> 1. A lot of things are hard-codded in
> /etc/sysconfig/firewall.d/functions. Especially icmp handling. Should'n
> the admin be the one who decides which packets are to be dropped?

I moved two functions that create extra chains to separate file,
/etc/sysconfig/firewall.d/functions.rules. You can alway change the rules,
the ones that are defined are safe defaults.
All files inder /etc/sysconfig/firewall.d are tagged as config(noreplace)
so your changes should be safe.

> 2. If the config files are supposed to contain iptables rules, why have
> I put "$iptables" there? And why should I define some functions?

I know this is may be a pain, look at the setup_rules() function,
any suggestion how to fix it is greatly appreciated.

> 3. It doesn't seem to work with 2.4.2-1 kernel --- IPv6 logging and
> icmpv6 stuff. But it seems the kernel and iptables in CVS are fixed.

For IPv6 LOG target you need latest patch-o-matic (included in 2.4.2-2)
icmpv6 is another problem - there is total mess in userland tools how
should it be named and for the time being it just does not work.
I sent a patch to netfilter-devel but Harald told me he is working
on a fix that does not involve patching the kernel so we must wait.

> And one more thing documentation (in /usr/share/doc) is not accessible
> for normal user. I don't like reading docs as root!

Sorry, bug in spec. I'll fix it ASAP.

Jan Rękorajski            |  ALL SUSPECTS ARE GUILTY. PERIOD!
BOFH, MANIAC              |                   -- TROOPS by Kevin Rubio

More information about the pld-devel-en mailing list