On Wed, Jan 09, 2002 at 04:00:31AM +0200, Tzafrir Cohen wrote:
> On Wed, 9 Jan 2002, Florian Friesdorf wrote:
>
> > On Tue, Jan 08, 2002 at 02:36:40PM -0500, Jason Stechschulte wrote:
> > > My question:
> > > Is ipmasq really worth using? It almost seems more difficult keeping
> > > track of multiple .rul files, plus ipmasq has many .def files that seem
> > > to set up rules also. From the looks of it, it seems like it may be
> > > easier to just set it all up manually myself and have full control over
> > > everything rather than having to learn to do things the ipmasq way.
> >
> > That's exactly my experience with ipmasq.
> > My personal favourite is now ferm (apt-cache show ferm)
> > It's a language of its own, relatively powerful, which translates either
> > to iptables, ipchains or ipfwadm (not fully supported iirc) commands
> > which are executed.
> >
>
> Does it produce a good iptables ruleset?
>
> For instance: does it use basic iptables-only features such as stateful
> filtering?
It's up to you what ruleset it produces and whether you'd like to use
stateful filtering.
chain INPUT saddr (a.b.c.d w.x.y.z) proto tcp dport (ssh http) ACCEPT;
is translated to four rules
iptables -t filter -A INPUT -p tcp -s a.b.c.d --dport ssh -j ACCEPT
iptables -t filter -A INPUT -p tcp -s a.b.c.d --dport http -j ACCEPT
iptables -t filter -A INPUT -p tcp -s w.x.y.z --dport ssh -j ACCEPT
iptables -t filter -A INPUT -p tcp -s w.x.y.z --dport http -j ACCEPT
Have a look at its manpage.
I'm working on modularizing it at the moment.
I've attached my ferm script used for dsl gateway
activate.ferm to intialize it.
deactivate.ferm to reset.
florian
--
Florian Friesdorf <42ff@gmx.net>
OpenPGP key available on public key servers
------> Save the future of Open Source <------
-> Online-Petition against Software Patents <-
------> http://petition.eurolinux.org <-------
Attachment:
pgpvsom9bbHHi.pgp
Description: PGP signature