1 |
On Wednesday 19 August 2009 00:11:36 Walter Dnes wrote: |
2 |
> IPCHAINS did the firewall job for me. Early versions of IPTABLES were |
3 |
> OK too. But it eventually developed the Mozilla disease, and became a |
4 |
> honking big routing/gatewaying/QOSing/singing/dancing monstrosity, of |
5 |
> which I required only a small fraction of its "functionality". And I'm |
6 |
> really confused as to which parts in netfilter/xtables/iptables I need |
7 |
> to build into the kernel. |
8 |
|
9 |
netfilter is the kernel sub-system that does packet filtering. |
10 |
iptables is a user-space app that adds and deletes rules to netfilter. |
11 |
I have no idea what xtables is |
12 |
|
13 |
> I need a firewall (or even just a packet-filter) that will operate |
14 |
> with current Gentoo kernels, nothing more. I see a build for IPCHAINS. |
15 |
> Does it work with 2.6.29 and higher kernels? |
16 |
|
17 |
No. ipchains does not work with 2.6 at all, or even with 2.4. I suppose you |
18 |
could coerce it, but it's easier to just learn iptables. iptables is also |
19 |
conceptually simpler and much easier to understand. |
20 |
|
21 |
menuconfig is really simply laid out with regard to netfilter. The initial |
22 |
selection that opens up is all you need, so select the lot. |
23 |
|
24 |
You will only need the mangle stuff is you plan on fiddling packets as they |
25 |
pass through the kernel; you'll only need conntrack if you plan to build a |
26 |
stateful firewall (a good idea, actually) and you might want NAT as well. |
27 |
|
28 |
|
29 |
> Are there other |
30 |
> alternatives in alternate overlays? I'm not a programmer, but I can |
31 |
> expand a tarball and... |
32 |
|
33 |
There are two ways to build a packet filter, one good one bad |
34 |
: |
35 |
in-kernel: this makes sense as it's where the packets are. netfilter does |
36 |
this, you *could* replace it, but you will simply rip it out and replace it |
37 |
with something similar. |
38 |
|
39 |
user-space: now this is a stupid idea. Every packet moves out of kernel space |
40 |
into userspace and back into kernel space. Yuck, all that context switching. |
41 |
|
42 |
iptables really really is what you want. Google for "Rusty Russell's |
43 |
Unreliable Guide to iptables", he's the head dev and that document contains |
44 |
just about everything you need for basic firewall needs. |
45 |
|
46 |
If you want a front-end, I like shorewall. There are hundreds of others and |
47 |
they come with their own built in flamewar about which is best. Most are |
48 |
simply front ends to iptables. |
49 |
|
50 |
The best and most ultimate OSS packet filter in the whole wide world is |
51 |
without a doubt ipfw. But that's FreeBSD - not likely much use to you :-) |
52 |
|
53 |
-- |
54 |
alan dot mckinnon at gmail dot com |