| 1 |
Dave Nebinger schreef: |
| 2 |
>> I've been trying to build a simple firewall with a DMZ for a web |
| 3 |
>> server. |
| 4 |
> |
| 5 |
> |
| 6 |
> Dude, trying to use iptables directly was your first mistake. |
| 7 |
> |
| 8 |
> Take a spin out and look at shorewall (I'm sure others have different |
| 9 |
> recommendations). |
| 10 |
> |
| 11 |
> Shorewall will get you up and running in no time and will easily |
| 12 |
> handle the configuration stuff from your original post. |
| 13 |
> |
| 14 |
> Trying to manage such a complex config using iptables directly is |
| 15 |
> doomed to failure; any mistake in ordering of rules, etc., will break |
| 16 |
> your connectivity. Sticking with a tool like shorewall will |
| 17 |
> simplify rules maintenance and pose less of a problem when performing |
| 18 |
> updates later on. |
| 19 |
> |
| 20 |
|
| 21 |
If you're trying to learn, James, there is something to be said for |
| 22 |
Dave's position; it's not as if the config files are going to disappear |
| 23 |
just because you used shorewall to write them with correct settings. |
| 24 |
|
| 25 |
It might be easier to understand how iptables works if you configure it |
| 26 |
through a system that will do it properly, *then* look at the configured |
| 27 |
rules and work out why they work (as opposed to what your self-made |
| 28 |
rules do), rather than wait to have a working configuration until you've |
| 29 |
understood iptables (which is apparently not really easy for most |
| 30 |
everybody). |
| 31 |
|
| 32 |
Holly |
| 33 |
-- |
| 34 |
gentoo-user@g.o mailing list |
Archives