Re: Starting iptables

[cothrige <cothrige@bellsouth.net>]

* dtutty@porchlight.ca (dtutty@porchlight.ca) wrote:
> 
> As I see it, you have two choices.  If you just want something that
> should do what you want and don't want to have to set anything up, just
> install ipmasq.  It determines what the untrusted network is by where
> the default route or gateway points; its automatic.  If you want the
> tightest firewall with only the ports you want open, then go with
> shorewall.  

Interesting what you say about ipmasq.  How automatic is it?  I would
have assumed that it had more to do with making your machine a
gateway, which mine isn't, than firewalling itself.  I am assuming
that it does both?  

> The documentation is vast; its like a book.  You wouldn't buy a big book
> on network security and open it to the middle and expect to know what
> was going on.  Start at the beginning and just read it through.  Trust
> your brain to synthesize and develop a plan for your situation.

I know what you mean there.  I think it turned out to be something
like 550 pages, give or take.  And I actually was reading it from the
beginning, but you can imagine what a task that is just to set up a
couple of rules.  And I was beginning to think that it was not set up
to handle a situation as simple as mine.  Of course, I was wrong.

But, this all begs the question of what Shorewall is really trying to
do.  I would think that the point of these firewall tools would be to
get around the rather difficult process of figuring out iptables.
However, shorewall seems to simply replace the very archaic and tricky
iptables commands and structure with its own equally difficult
version.  Why is that exactly?  Couldn't somebody with that kind of
need simply take the same time and learn the very thing that Shorewall
is manipulating, i.e. iptables?

Patrick