[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: question about SPF (mr Meskes, I suppose?)

On Thu, Mar 23, 2000 at 12:52:31PM +0100, Giacomo Mulas wrote:
> I have seen this work beautifully on a host. Does it work equally well
> with a firewall? I mean: does spf set up rules _only_ for traffic

Yes. I do run it on a masquerading firewall and I know the upstream
maintainer runs it on a non-masquerading one.

> originating from the same host it is running on or, instead, does it also
> set up rules for traffic _forwarded_ by the host it is running on but not
> originating from it? If the second case is true, this is a good enough
> reason to upgrade our firewall from slink to potato in order to install
> and run spf.

Potato won't do. spf is only in woody.

> One more question (I hope I will not bother you any more after this): can

No problem.

> I set up an arbitrarily complex set of ipchains rules in the spf
> configuration (i.e. the whole set of rules that set up filtering in my
> firewall and that are now run in a script at boot time), including
> creating new chains to handle specific situations etc., without perturbing
> the way spf works? In other words: on what basis does spf decide to set up
> a new ipchains rule or delete an obsolete one? Does it monitor packets
> going through the "output" chain, or what? What must I avoid to do, not to
> mess with the way it works?

The only things you have to keep in mind is that spf moves your input chain
to a chain names statinpt.

You are right. spf does monitor outgoing packets to create the input rules.

Other than that it's mostly using the same set of rules as you would
normally do.

Michael Meskes                         | Go SF 49ers!
Th.-Heuss-Str. 61, D-41812 Erkelenz    | Go Rhein Fire!
Tel.: (+49) 2431/72651                 | Use Debian GNU/Linux!
Email: Michael@Fam-Meskes.De           | Use PostgreSQL!

Reply to: