[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ipf ipnat iptables



On Fri, Nov 01, 2002 at 08:24:42AM -0600, Bob T. Kat wrote:
> Ipf/ipnat (old bsd firewalling) = rules are processed as last match
> wins, in other words all the rules are processed and the last rule that
> is matched is the one that is gone with

Ah.  I can see where this would make switching to Linux firewalling
confusing.

Hmm...  Actually though, if you look at it a little differently, it's
not so confusing.

> Example:  
> No pets are allowed (first rule)

So the policy (iptables -P $chain) is to allow nothing (DROP).

> Except brown and grey cats (second rule)
> Except penguins (third rule)

And then you allow the traffic you want (iptables -A $chain).

I usually have a last LOG and then DROP rule just to be complete,
since I really don't like things just falling off a chain (and being
handled by the default policy), but that's just me.

> Iptables/ipchains (new style firewalling) = rules are processed as first
> match wins, in other words as soon as a packet matches a rule it jumps
> to the target (accept, deny, reject) and rule processing stops, this is
> the opposite as the ipf/ipnat system.

Actually, that's only true when the target is one of the built-in
targets (ACCEPT, REJECT, or DROP).  When the target is LOG, processing
continues, and when the target is a user-defined chain, processing
continues if the user-defined chain doesn't catch a packet with an
ACCEPT, REJECT, or DROP.

I should note that there are other targets, but most of them are
terminating rules like ACCEPT and company.

Steve
-- 
steve@silug.org           | Southern Illinois Linux Users Group
(618)398-7360             | See web site for meeting details.
Steven Pritchard          | http://www.silug.org/

-
To unsubscribe, send email to majordomo@silug.org with
"unsubscribe silug-discuss" in the body.