1 |
Dave Nebinger schreef: |
2 |
>> I've been trying to build a simple firewall with a DMZ for a web |
3 |
>> server. |
4 |
> |
5 |
> |
6 |
> Dude, trying to use iptables directly was your first mistake. |
7 |
> |
8 |
> Take a spin out and look at shorewall (I'm sure others have different |
9 |
> recommendations). |
10 |
> |
11 |
> Shorewall will get you up and running in no time and will easily |
12 |
> handle the configuration stuff from your original post. |
13 |
> |
14 |
> Trying to manage such a complex config using iptables directly is |
15 |
> doomed to failure; any mistake in ordering of rules, etc., will break |
16 |
> your connectivity. Sticking with a tool like shorewall will |
17 |
> simplify rules maintenance and pose less of a problem when performing |
18 |
> updates later on. |
19 |
> |
20 |
|
21 |
If you're trying to learn, James, there is something to be said for |
22 |
Dave's position; it's not as if the config files are going to disappear |
23 |
just because you used shorewall to write them with correct settings. |
24 |
|
25 |
It might be easier to understand how iptables works if you configure it |
26 |
through a system that will do it properly, *then* look at the configured |
27 |
rules and work out why they work (as opposed to what your self-made |
28 |
rules do), rather than wait to have a working configuration until you've |
29 |
understood iptables (which is apparently not really easy for most |
30 |
everybody). |
31 |
|
32 |
Holly |
33 |
-- |
34 |
gentoo-user@g.o mailing list |