firewall-init for iptables

Jan Rekorajski baggins-pld at sith.mimuw.edu.pl
Thu Mar 8 01:05:37 CET 2001 

[wtorek, 06 marzec 2001], Jacek Konieczny napisał(a):

> On Sun, Mar 04, 2001 at 03:43:10PM +0100, Jan Rekorajski wrote:
> [...]
> > What version did you use? It's under development so the latest and greatest
> > you can get from CVS (cvs co -r IPTABLES firewall-init).
> This is exactly what I have done.

Good :) In the meantime I fixed some dumb mistakes so please upgrade ;)

> > > 2. If the config files are supposed to contain iptables rules, why have
> > > I put "$iptables" there? And why should I define some functions?
> > 
> > I know this is may be a pain, look at the setup_rules() function,
> > any suggestion how to fix it is greatly appreciated.
> I made similar scripts for ipchains some time ago. The config files
> used contained only arguments to ipchains. They were read using "read"
> shell command in the scripts, line by line. But for more sophisticated
> firewalls it was sloooowww. I think your solution should be faster, although
> less elegant.

Yes, that's the problem, I thought of doing it that way, but then I would
loose some functionality. So I want to be less elegant but to allow
admin to do what he wants, not restricted by config file syntax.

> Imho it would be good if iptables could process more
> entries at once. Eg. from a file.

It can, via iptables-restore program.

> > > 3. It doesn't seem to work with 2.4.2-1 kernel --- IPv6 logging and
> > > icmpv6 stuff. But it seems the kernel and iptables in CVS are fixed.
> > 
> > For IPv6 LOG target you need latest patch-o-matic (included in 2.4.2-2)
> > icmpv6 is another problem - there is total mess in userland tools how
> > should it be named and for the time being it just does not work.
> > I sent a patch to netfilter-devel but Harald told me he is working
> > on a fix that does not involve patching the kernel so we must wait.
> But the latest version of firewall-init/iptables/kernel won't display
> all those messages?

I commented out ICMP6 chain for now.

> And one more thing. I think you should change the name of the project.
> This is quite different from original firewall-init. Maybe the
> firewall-init is still developed (in other distribution).

As I am the maintainer of this package I don't care ;>
But maybe I change the name.

> PS.
>         What does "rc" mean in rc-scripts and rc-inetd?

Wild guess "runlevel change", I think the answer should be in some
book about U*IX.

Janek
-- 
Jan Rękorajski            |  ALL SUSPECTS ARE GUILTY. PERIOD!
baggins<at>mimuw.edu.pl   |  OTHERWISE THEY WOULDN'T BE SUSPECTS, WOULD THEY?
BOFH, MANIAC              |                   -- TROOPS by Kevin Rubio

More information about the pld-devel-en mailing list