[PLUG] problem with bridging, iptables, and wireless- solved

[Kris]

Carla Schroder wrote:
> I think some folks go a little nuts when it comes to writing iptables rules 
> and go on these wild sprees and write a gazillion rules just because they 
> can. I don't want to maul those poor little packets unnecessarily, and I sure 
> don't want to make a simple firewall script my life's work.

I've done NAT on a Cisco (which *was* Internet security for SOHO back in
the day), self-rolled iptables, pf, and some of the firewall kits for linux.

I gave up writing my own iptables scripts.  I agree that you could make
an unprofitable career out of maintaining it. :)

> Same here, with any prefab firewall thingy. It seems like all the specialized 
> firewall/WAP Linuxes, and all the firewall tools that are supposed to make 
> iptables easier just make bigger messes. Have you ever looked at IPCop's 
> iptables rules? Big spaghetti tangle of Bash scripting and gobs of rules for 
> gosh knows what. More complexity doesn't mean more security, not when it's 
> such a tangle you don't understand what it's doing.

I will defend the complexity a bit by saying that there are some very
interesting network hacks that require tricks in order to counter.  PF
has some interesting features that clean packets to and from a firewall.

I've standardized on Shorewall both for host and network iptables
management.  Every time I needed to debug I've always been able to
navigate Shorewall's output from `iptables -L -vn`.  OpenVPN
configuration and termination is easily managed as well.  I have yet to
play with Shorewall+IPsec.  Things got a little muddy in the switch from
2.4 to 2.6 with the move from dedicated interfaces to security contexts
maintained by the kernel.

-- 
I'm just a packet pusher.