[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ipf ipnat iptables



ok the policies i wasn't quite getting either, but now it's starting to make
sense, i was jumping straight to the rules but now after looking at it for a
few days i pretty much get it, just a bit of a shocker going from something
as simple as 1 straight set of rules for filtering and 1 straight set of
rules for natting to several chains of rules where everything kind of meshes
into one, you know how old habbits are hard to break (insert lyric from
fleetwood mac tune, ok bad joke i know)

Bob T. Kat
----- Original Message -----
From: "Steven Pritchard" <steve@silug.org>
To: <silug-discuss@silug.org>
Sent: Friday, November 01, 2002 12:36 PM
Subject: Re: ipf ipnat iptables


> On Fri, Nov 01, 2002 at 08:24:42AM -0600, Bob T. Kat wrote:
> > Ipf/ipnat (old bsd firewalling) = rules are processed as last match
> > wins, in other words all the rules are processed and the last rule that
> > is matched is the one that is gone with
>
> Ah.  I can see where this would make switching to Linux firewalling
> confusing.
>
> Hmm...  Actually though, if you look at it a little differently, it's
> not so confusing.
>
> > Example:
> > No pets are allowed (first rule)
>
> So the policy (iptables -P $chain) is to allow nothing (DROP).
>
> > Except brown and grey cats (second rule)
> > Except penguins (third rule)
>
> And then you allow the traffic you want (iptables -A $chain).
>
> I usually have a last LOG and then DROP rule just to be complete,
> since I really don't like things just falling off a chain (and being
> handled by the default policy), but that's just me.
>
> > Iptables/ipchains (new style firewalling) = rules are processed as first
> > match wins, in other words as soon as a packet matches a rule it jumps
> > to the target (accept, deny, reject) and rule processing stops, this is
> > the opposite as the ipf/ipnat system.
>
> Actually, that's only true when the target is one of the built-in
> targets (ACCEPT, REJECT, or DROP).  When the target is LOG, processing
> continues, and when the target is a user-defined chain, processing
> continues if the user-defined chain doesn't catch a packet with an
> ACCEPT, REJECT, or DROP.
>
> I should note that there are other targets, but most of them are
> terminating rules like ACCEPT and company.
>
> Steve
> --
> steve@silug.org           | Southern Illinois Linux Users Group
> (618)398-7360             | See web site for meeting details.
> Steven Pritchard          | http://www.silug.org/
>
> -
> To unsubscribe, send email to majordomo@silug.org with
> "unsubscribe silug-discuss" in the body.


-
To unsubscribe, send email to majordomo@silug.org with
"unsubscribe silug-discuss" in the body.