[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Sheflug] Re: FreeBSD and Linux.
>>>>> "Chris" == Chris J <Chris> writes:
>> Yes... IPF does seem to be good stuff. I've been following
>> several iptables lists for months now and everyone is very
>> confused.
>>
Chris> As the Linux firewall goes through incarnations, the
Chris> command line syntax not only changes, but gets more
Chris> confusing as well. It also requires multiple invocations of
Chris> iptables/ipchains/ipfwadm to create a firewall.
Chris> OpenBSD's approach is just a lot cleaner, and doesn't
Chris> require multiple invocations.
Chris> I think:
Chris> pass in log quick on ep0 proto tcp from any to any port =
Chris> 22 flags S keep state
Chris> is a lot more meaningful than <insert whatever the cryptic
Chris> ipchains/iptables command-line is to do the same>. Yes, you
Chris> could guess with the ipchains/iptables/ipfwadm commandline,
Chris> but it isn't verbose enough for its meaning to be
Chris> understood immediatly.
Guessing - allow TCP connections/data from anywhere (coming in on a
3Com ethernet interface) to port 22:
iptables -A FORWARD -i eth0 -p TCP -s 0.0.0.0/0 --dport 22 -j ACCEPT
should work. What "keep state" means under BSD I dunno - but there are
options for iptables for stateful tracking:
iptables -A FORWARD -i eth0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i ppp0 -m state --state NEW,INVALID -j DROP
allows new connections and packets related to existing connections
from eth0, but drops new connections or invalid packets coming in from
ppp0 from being passed through the box.
Packets destined for the box are on the INPUT rule.
Logging is another target:
iptables [conditions] -j LOG
I guess my brain is slightly different - IMHO, BSD firewalling is very
terse in comparison to iptables or ipchains.
Nevermind - I'll probably learn in over the next couple of weeks/months.
Baz.
--
Barrie J. Bremner OpenPGP public key ID: 5164F553
baz [at] barriebremner.com http://barriebremner.com/
___________________________________________________________________
Sheffield Linux User's Group - http://www.sheflug.co.uk .
To unsubscribe from this list send mail to
shef-lug-request@list.sheflug.org.uk with the word
"unsubscribe" in the body of the message.
GNU the choice of a complete generation.