Re: some reality about iptables, please
Apparently, Bret Comstock Waldow recently wrote:
> On Fri, 2003-08-29 at 10:44, Steve Lamb wrote:
>> On 29 Aug 2003 10:26:57 -0400
>> Bret Comstock Waldow <bwaldow@alum.mit.edu> wrote:
>> > Yes, this is a fun place we all get to be individuals in, joking with
>> > each other. OTOH, I'm a Software Quality Assurance Analyst for a
>> > living, and you don't leave users high and dry, and you don't play
>> with
>> > them. That's not helpful.
>>
>> Why any user would want to start off with iptables when the examples
>> provided point to several far easier and more comprehensive methods of
>> handling those rules is beyond me. Stock answer to anyone who wants to
>> muck
>> around with firewall rules:
>>
>> aptitude install shorewall
>>
>> Until you got that down pat you've no business poking directly with
>> iptables directly IMHO.
> And now I've heard your opinion. (No deprecation intended, please read
> on).
>
> Notice what I've gone through to get to a place where I get to hear it.
>
> Next, are you correct? Are you correct in my case?
>
> The reason I switched to Debian is that Red Hat is too proprietary.
> They make non-standard patches to the kernel, they've worked up a
> framework for administrating their distro, etc. that are proprietary.
> To work with it, I have to study Red Hat-isms, that don't apply to
> anything else.
<shorewall-evangelism-mode>
Seriously, I can't think of an easier and more powerful way to set up a
firewall than to use shorewall. Even if you know iptables in and out, I
can't see much reason(*) not to use shorewall.
> So, the question is, what do I spend my time and attention studying?
>
> I've got two external intefaces, eth0 and ppp0. I've got two virtual
> internal interfaces to VMware, vmnet0 as a bridge to the Internet, and
> vmnet1 as a bridge to the host filesystem via samba.
I believe Steve is right. Try shorewall; it will do everything(*) you
want, and is very well documented and easy to use.
> Should I put my effort into understanding iptables in the first place so
> I can evaluate what shorewall does, or put my effort into trying to get
> shorewall to do something (I can't evaluate if it's working - I don't
> know enough. What isn't it covering? How do I know?)
Put effort into getting shorewall set up. It's very easy to get it up and
running, and, IMHO, far surpasses most other firewall builder packages.
There might be better ones that I haven't tried, but I have zero
complaints about shorewall.
> Beyond that, I'm willing to put in the time to learn. I'm doing that
> now.
http://www.shorewall.net - should have all the info you need. Just go try
it; if I'm wrong about your needs(*), maybe shorewall isn't for you. But
it will still take less time than squeezing answers out of debian-user,
will take *far* less time than understanding iptables, and in the
meantime, you'll have a lot better handle on exactly what functionality
you need.
(*) Unless the three things listed in
http://www.shorewall.net/Shorewall_Doesnt.html are things you need (which
is doubtful) this will probably get you up and running the fastest while
giving you the widest range of flexibility.
</shorewall-evangelism-mode>
Wes
Reply to: