firewall-init for iptables
baggins-pld at sith.mimuw.edu.pl
Sun Mar 4 15:43:10 CET 2001
[sobota, 03 marzec 2001], Jacek Konieczny napisał(a):
> I have installed 2.4.2 kernel on two machines. I wanted to check the new
> firewall-init too. I was never using old firewall-init as it wasn't good
> for using all Linux ipchains features. The new code is much better at
> this point, but I still don't like it much.
> But it is great, that configuration is split by tables/chains/protocols
> and that new chains can be defined (I don't think it was possible in old
What version did you use? It's under development so the latest and greatest
you can get from CVS (cvs co -r IPTABLES firewall-init).
> 1. A lot of things are hard-codded in
> /etc/sysconfig/firewall.d/functions. Especially icmp handling. Should'n
> the admin be the one who decides which packets are to be dropped?
I moved two functions that create extra chains to separate file,
/etc/sysconfig/firewall.d/functions.rules. You can alway change the rules,
the ones that are defined are safe defaults.
All files inder /etc/sysconfig/firewall.d are tagged as config(noreplace)
so your changes should be safe.
> 2. If the config files are supposed to contain iptables rules, why have
> I put "$iptables" there? And why should I define some functions?
I know this is may be a pain, look at the setup_rules() function,
any suggestion how to fix it is greatly appreciated.
> 3. It doesn't seem to work with 2.4.2-1 kernel --- IPv6 logging and
> icmpv6 stuff. But it seems the kernel and iptables in CVS are fixed.
For IPv6 LOG target you need latest patch-o-matic (included in 2.4.2-2)
icmpv6 is another problem - there is total mess in userland tools how
should it be named and for the time being it just does not work.
I sent a patch to netfilter-devel but Harald told me he is working
on a fix that does not involve patching the kernel so we must wait.
> And one more thing documentation (in /usr/share/doc) is not accessible
> for normal user. I don't like reading docs as root!
Sorry, bug in spec. I'll fix it ASAP.
Jan Rękorajski | ALL SUSPECTS ARE GUILTY. PERIOD!
baggins<at>mimuw.edu.pl | OTHERWISE THEY WOULDN'T BE SUSPECTS, WOULD THEY?
BOFH, MANIAC | -- TROOPS by Kevin Rubio
More information about the pld-devel-en