On Wed, Jan 09, 2002 at 04:00:31AM +0200, Tzafrir Cohen wrote: > On Wed, 9 Jan 2002, Florian Friesdorf wrote: > > > On Tue, Jan 08, 2002 at 02:36:40PM -0500, Jason Stechschulte wrote: > > > My question: > > > Is ipmasq really worth using? It almost seems more difficult keeping > > > track of multiple .rul files, plus ipmasq has many .def files that seem > > > to set up rules also. From the looks of it, it seems like it may be > > > easier to just set it all up manually myself and have full control over > > > everything rather than having to learn to do things the ipmasq way. > > > > That's exactly my experience with ipmasq. > > My personal favourite is now ferm (apt-cache show ferm) > > It's a language of its own, relatively powerful, which translates either > > to iptables, ipchains or ipfwadm (not fully supported iirc) commands > > which are executed. > > > > Does it produce a good iptables ruleset? > > For instance: does it use basic iptables-only features such as stateful > filtering? It's up to you what ruleset it produces and whether you'd like to use stateful filtering. chain INPUT saddr (a.b.c.d w.x.y.z) proto tcp dport (ssh http) ACCEPT; is translated to four rules iptables -t filter -A INPUT -p tcp -s a.b.c.d --dport ssh -j ACCEPT iptables -t filter -A INPUT -p tcp -s a.b.c.d --dport http -j ACCEPT iptables -t filter -A INPUT -p tcp -s w.x.y.z --dport ssh -j ACCEPT iptables -t filter -A INPUT -p tcp -s w.x.y.z --dport http -j ACCEPT Have a look at its manpage. I'm working on modularizing it at the moment. I've attached my ferm script used for dsl gateway activate.ferm to intialize it. deactivate.ferm to reset. florian -- Florian Friesdorf <42ff@gmx.net> OpenPGP key available on public key servers ------> Save the future of Open Source <------ -> Online-Petition against Software Patents <- ------> http://petition.eurolinux.org <-------
Attachment:
pgpvsom9bbHHi.pgp
Description: PGP signature