[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sheflug] Re: FreeBSD and Linux.



>>>>> "Chris" == Chris J <Chris> writes:

    >>  Yes... IPF does seem to be good stuff.  I've been following
    >> several iptables lists for months now and everyone is very
    >> confused.
    >> 

    Chris> As the Linux firewall goes through incarnations, the
    Chris> command line syntax not only changes, but gets more
    Chris> confusing as well. It also requires multiple invocations of
    Chris> iptables/ipchains/ipfwadm to create a firewall.

    Chris> OpenBSD's approach is just a lot cleaner, and doesn't
    Chris> require multiple invocations.

    Chris> I think:

    Chris> pass in log quick on ep0 proto tcp from any to any port =
    Chris> 22 flags S keep state

    Chris> is a lot more meaningful than <insert whatever the cryptic
    Chris> ipchains/iptables command-line is to do the same>. Yes, you
    Chris> could guess with the ipchains/iptables/ipfwadm commandline,
    Chris> but it isn't verbose enough for its meaning to be
    Chris> understood immediatly.

Guessing - allow TCP connections/data from anywhere (coming in on a
3Com ethernet interface) to port 22:

iptables -A FORWARD -i eth0 -p TCP -s 0.0.0.0/0 --dport 22 -j ACCEPT

should work. What "keep state" means under BSD I dunno - but there are
options for iptables for stateful tracking:

iptables -A FORWARD -i eth0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i ppp0 -m state --state NEW,INVALID -j DROP

allows new connections and packets related to existing connections
from eth0, but drops new connections or invalid packets coming in from
ppp0 from being passed through the box.

Packets destined for the box are on the INPUT rule.

Logging is another target:

iptables [conditions] -j LOG

I guess my brain is slightly different - IMHO, BSD firewalling is very
terse in comparison to iptables or ipchains.
Nevermind - I'll probably learn in over the next couple of weeks/months.

Baz.

-- 
Barrie J. Bremner		OpenPGP public key ID: 5164F553
baz [at] barriebremner.com	http://barriebremner.com/


___________________________________________________________________

Sheffield Linux User's Group - http://www.sheflug.co.uk . 
To unsubscribe from this list send mail to 
shef-lug-request@list.sheflug.org.uk with the word
"unsubscribe" in the body of the message. 

  GNU the choice of a complete generation.