[PLUG] problem with bridging, iptables, and wireless- solved
Kris
krisa at subtend.net
Thu Jan 18 19:54:27 UTC 2007
Carla Schroder wrote:
> I think some folks go a little nuts when it comes to writing iptables rules
> and go on these wild sprees and write a gazillion rules just because they
> can. I don't want to maul those poor little packets unnecessarily, and I sure
> don't want to make a simple firewall script my life's work.
I've done NAT on a Cisco (which *was* Internet security for SOHO back in
the day), self-rolled iptables, pf, and some of the firewall kits for linux.
I gave up writing my own iptables scripts. I agree that you could make
an unprofitable career out of maintaining it. :)
> Same here, with any prefab firewall thingy. It seems like all the specialized
> firewall/WAP Linuxes, and all the firewall tools that are supposed to make
> iptables easier just make bigger messes. Have you ever looked at IPCop's
> iptables rules? Big spaghetti tangle of Bash scripting and gobs of rules for
> gosh knows what. More complexity doesn't mean more security, not when it's
> such a tangle you don't understand what it's doing.
I will defend the complexity a bit by saying that there are some very
interesting network hacks that require tricks in order to counter. PF
has some interesting features that clean packets to and from a firewall.
I've standardized on Shorewall both for host and network iptables
management. Every time I needed to debug I've always been able to
navigate Shorewall's output from `iptables -L -vn`. OpenVPN
configuration and termination is easily managed as well. I have yet to
play with Shorewall+IPsec. Things got a little muddy in the switch from
2.4 to 2.6 with the move from dedicated interfaces to security contexts
maintained by the kernel.
--
I'm just a packet pusher.
More information about the PLUG
mailing list