> It's not a parade, it's what old-timers do, it's how I learn. I started that way too (being an old-timer myself ;-)
However after consuming info available on the net and buying/reading an iptables book, I quickly came to realize that it's quite easy to shoot yourself in the foot with iptables. Shorewall, and many of the other alternatives, end up handling the nuances of iptables quite nicely and take most of the bullets out of your gun, thus protecting your feet. > > /etc/shorewall/interfaces: > > # Assumes you're getting IP address from dhcp server > > net eth0 detect dhcp,routefilter,norfc1918,tcpflags > > # Assumes you're serving dhcp to internal systems > > loc eth1 detect dhcp,tcpflags > how about for a static > loc eht1 detect tcpflags <????????> Yes, /etc/shorewall/interfaces file has excessive documentation that explains what would go on the end. > > Thanks for your help. I think I've got enough here to get > it basically working. One I make the rulesets more complex, > I'll use shorewall generated rules and configs to see what I > have missed. You may be in a little trouble if you're talking about mixing shorewall & iptables... They really don't play well together. Shorewall (and many of the others) create custom chains to contain individual rules of varying types. The problem is that these custom chains tend to get intertwined with each other and trying to identify a shorewall-based iptable rule that you want to copy to a straight iptable implementation can be difficult. That plus if you start shorewall it basically clears all existing chains to load it's own info, so all firewall rules must be kept in the shorewall files. So you really have to pick one or the other but not both. Dave -- gentoo-user@gentoo.org mailing list
