On Fri, Aug 24, 2001 at 12:23:02AM -0400, Mike McGuire wrote:
[ deletia ]
> 0) kernel firewalling, write your own masq scripts w/ ipfoo.
This won't work, cos you haven't compiled masq support into the
kernel.
> 1) kernel firewalling, use ipmasq's scripts.
This won't work, cos you haven't compiled masq support into the
kernel.
> 2) kernel firewalling and masquerading, turn it on w/ ipfoo.
This will work, and is also how ipmasq works.
ipmasq is just a collection of scripts that somebody wrote. The
scripts don't do anything other than run commands to configure the
packet filtering in the kernel. For 2.0.x kernels, this means running
ipfwadm. For 2.2.x kernels, this means running "ipchains". For 2.4.x
kernels this means running "iptables".
> Just so you don't yell at me again ;) here's how #2 works.
> (2.4.x kernel using netfilter/iptables)
Dude, we are talking about POTATO. There's no 2.4.x in potato.
> (somewhere in the kernel config)
> CONFIG_IP_NF_IPTABLES=m # general filtering
> CONFIG_IP_NF_FILTER=m # packet filtering
> CONFIG_IP_NF_NAT=m # Netwk Addr Translation
> CONFIG_IP_NF_NAT_NEEDED=y
> CONFIG_IP_NF_TARGET_MASQUERADE=m # special NAT module
>
> Then to set it all up, one whole line (though this just does
> the masquerading, no real firewalling, but I think that the
> masq stuff was the point to this whole mess...)
> : iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
You could be correct, I haven't installed 2.4.x on my firewall yet due
to some netfilter bugs. One of these weekends perhaps ...
> As I understood it, the default kernel just does filtering, and maybe
> NAT. And that's all ipmasq needs to work. Perhaps the masquerading
> module is just some extra feature in 2.4.x/iptables? (That could
> explain most of this confusion. arg. (But then, me being completely
> wrong could too. I hope that's not it. ;) )
THERE IS NO 2.4.x DEFAULT KERNEL IN POTATO. WE ARE TALKING ABOUT THE
DEFAULT, THAT IS TO SAY THE KERNEL INSTALLED AFTER A FRESH INSTALL.
> > > [more blather]
> > >
> > I don't understand what you're on about with this "faster" stuff. IP
> > Masq support in the kernel is ip masq support. It doesn't work
> > automatically; you have to configure it. The ipmasq package does
> > exactly that.
>
> eh. When you said you'd recommend a custom kernel "especially if
> you're manipulating packets", I just assumed you thought it was
> faster too. And I still think the difference is that it's *not*
> IP masq support in the kernel when using ipmasq; it's IP masq in
Yes, it is.
> user space using the kernel IP filter support. The IP_FOO_MASQ
No, it's not.
> module I mentioned above is obviously kernel IP masq support, so
> if I'm right about all that- and I hope I am- kernel code should
> be faster vs. user space code.
Have you compiled a 2.2.x kernel ever? If you do you'll notice there
is CONFIG_IP_MASQUERADE. Wonder what that's for?
> But then, I could be wrong. Quite likely, in fact. If I am, just
> tell everyone that I'm an idiot, and why, and as simply as can be
> done to prevent eating away any more of their bandwidth. Now I've
> got tv to watch, and I've got to throw some stuff together so I
> can leave for school tomorrow, so I'm done. No more. :)
Lucky you. I have to go to work :/
--
Nathan Norman - Staff Engineer | A good plan today is better
Micromuse Ltd. | than a perfect plan tomorrow.
mailto:nnorman@micromuse.com | -- Patton
Attachment:
pgp2v74tUfcE3.pgp
Description: PGP signature