firewall-init for iptables
baggins-pld at sith.mimuw.edu.pl
Thu Mar 8 01:05:37 CET 2001
[wtorek, 06 marzec 2001], Jacek Konieczny napisał(a):
> On Sun, Mar 04, 2001 at 03:43:10PM +0100, Jan Rekorajski wrote:
> > What version did you use? It's under development so the latest and greatest
> > you can get from CVS (cvs co -r IPTABLES firewall-init).
> This is exactly what I have done.
Good :) In the meantime I fixed some dumb mistakes so please upgrade ;)
> > > 2. If the config files are supposed to contain iptables rules, why have
> > > I put "$iptables" there? And why should I define some functions?
> > I know this is may be a pain, look at the setup_rules() function,
> > any suggestion how to fix it is greatly appreciated.
> I made similar scripts for ipchains some time ago. The config files
> used contained only arguments to ipchains. They were read using "read"
> shell command in the scripts, line by line. But for more sophisticated
> firewalls it was sloooowww. I think your solution should be faster, although
> less elegant.
Yes, that's the problem, I thought of doing it that way, but then I would
loose some functionality. So I want to be less elegant but to allow
admin to do what he wants, not restricted by config file syntax.
> Imho it would be good if iptables could process more
> entries at once. Eg. from a file.
It can, via iptables-restore program.
> > > 3. It doesn't seem to work with 2.4.2-1 kernel --- IPv6 logging and
> > > icmpv6 stuff. But it seems the kernel and iptables in CVS are fixed.
> > For IPv6 LOG target you need latest patch-o-matic (included in 2.4.2-2)
> > icmpv6 is another problem - there is total mess in userland tools how
> > should it be named and for the time being it just does not work.
> > I sent a patch to netfilter-devel but Harald told me he is working
> > on a fix that does not involve patching the kernel so we must wait.
> But the latest version of firewall-init/iptables/kernel won't display
> all those messages?
I commented out ICMP6 chain for now.
> And one more thing. I think you should change the name of the project.
> This is quite different from original firewall-init. Maybe the
> firewall-init is still developed (in other distribution).
As I am the maintainer of this package I don't care ;>
But maybe I change the name.
> What does "rc" mean in rc-scripts and rc-inetd?
Wild guess "runlevel change", I think the answer should be in some
book about U*IX.
Jan Rękorajski | ALL SUSPECTS ARE GUILTY. PERIOD!
baggins<at>mimuw.edu.pl | OTHERWISE THEY WOULDN'T BE SUSPECTS, WOULD THEY?
BOFH, MANIAC | -- TROOPS by Kevin Rubio
More information about the pld-devel-en