| 1 |
On Wednesday 19 August 2009 00:11:36 Walter Dnes wrote: |
| 2 |
> IPCHAINS did the firewall job for me. Early versions of IPTABLES were |
| 3 |
> OK too. But it eventually developed the Mozilla disease, and became a |
| 4 |
> honking big routing/gatewaying/QOSing/singing/dancing monstrosity, of |
| 5 |
> which I required only a small fraction of its "functionality". And I'm |
| 6 |
> really confused as to which parts in netfilter/xtables/iptables I need |
| 7 |
> to build into the kernel. |
| 8 |
|
| 9 |
netfilter is the kernel sub-system that does packet filtering. |
| 10 |
iptables is a user-space app that adds and deletes rules to netfilter. |
| 11 |
I have no idea what xtables is |
| 12 |
|
| 13 |
> I need a firewall (or even just a packet-filter) that will operate |
| 14 |
> with current Gentoo kernels, nothing more. I see a build for IPCHAINS. |
| 15 |
> Does it work with 2.6.29 and higher kernels? |
| 16 |
|
| 17 |
No. ipchains does not work with 2.6 at all, or even with 2.4. I suppose you |
| 18 |
could coerce it, but it's easier to just learn iptables. iptables is also |
| 19 |
conceptually simpler and much easier to understand. |
| 20 |
|
| 21 |
menuconfig is really simply laid out with regard to netfilter. The initial |
| 22 |
selection that opens up is all you need, so select the lot. |
| 23 |
|
| 24 |
You will only need the mangle stuff is you plan on fiddling packets as they |
| 25 |
pass through the kernel; you'll only need conntrack if you plan to build a |
| 26 |
stateful firewall (a good idea, actually) and you might want NAT as well. |
| 27 |
|
| 28 |
|
| 29 |
> Are there other |
| 30 |
> alternatives in alternate overlays? I'm not a programmer, but I can |
| 31 |
> expand a tarball and... |
| 32 |
|
| 33 |
There are two ways to build a packet filter, one good one bad |
| 34 |
: |
| 35 |
in-kernel: this makes sense as it's where the packets are. netfilter does |
| 36 |
this, you *could* replace it, but you will simply rip it out and replace it |
| 37 |
with something similar. |
| 38 |
|
| 39 |
user-space: now this is a stupid idea. Every packet moves out of kernel space |
| 40 |
into userspace and back into kernel space. Yuck, all that context switching. |
| 41 |
|
| 42 |
iptables really really is what you want. Google for "Rusty Russell's |
| 43 |
Unreliable Guide to iptables", he's the head dev and that document contains |
| 44 |
just about everything you need for basic firewall needs. |
| 45 |
|
| 46 |
If you want a front-end, I like shorewall. There are hundreds of others and |
| 47 |
they come with their own built in flamewar about which is best. Most are |
| 48 |
simply front ends to iptables. |
| 49 |
|
| 50 |
The best and most ultimate OSS packet filter in the whole wide world is |
| 51 |
without a doubt ipfw. But that's FreeBSD - not likely much use to you :-) |
| 52 |
|
| 53 |
-- |
| 54 |
alan dot mckinnon at gmail dot com |
Archives