firewall-init for iptables
Jan Rekorajski
baggins-pld at sith.mimuw.edu.pl
Sun Mar 4 15:43:10 CET 2001
[sobota, 03 marzec 2001], Jacek Konieczny napisał(a):
> I have installed 2.4.2 kernel on two machines. I wanted to check the new
> firewall-init too. I was never using old firewall-init as it wasn't good
> for using all Linux ipchains features. The new code is much better at
> this point, but I still don't like it much.
> But it is great, that configuration is split by tables/chains/protocols
> and that new chains can be defined (I don't think it was possible in old
> firewall-init).
What version did you use? It's under development so the latest and greatest
you can get from CVS (cvs co -r IPTABLES firewall-init).
> 1. A lot of things are hard-codded in
> /etc/sysconfig/firewall.d/functions. Especially icmp handling. Should'n
> the admin be the one who decides which packets are to be dropped?
I moved two functions that create extra chains to separate file,
/etc/sysconfig/firewall.d/functions.rules. You can alway change the rules,
the ones that are defined are safe defaults.
All files inder /etc/sysconfig/firewall.d are tagged as config(noreplace)
so your changes should be safe.
> 2. If the config files are supposed to contain iptables rules, why have
> I put "$iptables" there? And why should I define some functions?
I know this is may be a pain, look at the setup_rules() function,
any suggestion how to fix it is greatly appreciated.
> 3. It doesn't seem to work with 2.4.2-1 kernel --- IPv6 logging and
> icmpv6 stuff. But it seems the kernel and iptables in CVS are fixed.
For IPv6 LOG target you need latest patch-o-matic (included in 2.4.2-2)
icmpv6 is another problem - there is total mess in userland tools how
should it be named and for the time being it just does not work.
I sent a patch to netfilter-devel but Harald told me he is working
on a fix that does not involve patching the kernel so we must wait.
> And one more thing documentation (in /usr/share/doc) is not accessible
> for normal user. I don't like reading docs as root!
Sorry, bug in spec. I'll fix it ASAP.
Janek
--
Jan Rękorajski | ALL SUSPECTS ARE GUILTY. PERIOD!
baggins<at>mimuw.edu.pl | OTHERWISE THEY WOULDN'T BE SUSPECTS, WOULD THEY?
BOFH, MANIAC | -- TROOPS by Kevin Rubio
More information about the pld-devel-en
mailing list