Zoki wrote:
> What I would like to have is your first impression when you see it. Is
> there anything that strikes you as bizarre and impossible?
Well, like most firewall scripts, it's a long list of rules. It's well
commented, so it's fairly easy to understand what's going on, but it's
going to be more time consuming to properly configure, since there are
things you are expected to change thoughout the whole script.
Generally, I'm of the opinion that complex scripts are prone to error.
Probably true, since you say that the script is "so watertight it blocks
ALL traffic to and from the server".
It doesn't scratch my itch (which is fine, because it scratches yours).
When I wrote my firewall script, I was trying to accomplish a few goals:
1) easy to configure. To this end, all configuration is done in the
first lines of the file, and (I think) it's well documented. If, at
some point, I write a configuration tool, those lines can easily be
moved into a config file, like /etc/sysconfig/firewall, which leads me
to the second goal:
2) integrate well with Red Hat. The script is written to "fit in" with
a RH system. It shows up in SysV editors, and uses the initscript's
functions. You can start, stop or get the status of the firewall just
like any other script.
3) simple to maintain. By using loops, I have a minimal amount of
script to maintain, and I'm less prone to error.
Most scripts I've seen don't do any of those things.
A few other things:
> # Needed to initially load modules
> #
> /sbin/depmod -a
The system should do this for you. If you have to do this yourself,
then your system is broke.
> # Supports the masquerading of Quake and QuakeWorld by default.
> # This modules is for for multiple users behind the Linux MASQ server.
> # If you are going to play Quake I, II, and III, use the second example.
> #
> # NOTE: If you get ERRORs loading the QUAKE module, you are running an old
> # kernel that has bugs in it. Please upgrade to the newest kernel.
> #
> #Quake I / QuakeWorld (ports 26000 and 27000)
> /sbin/modprobe ip_masq_quake
>
> #Quake I/II/III / QuakeWorld (ports 26000, 27000, 27910, 27960)
> /sbin/modprobe ip_masq_quake 26000,27000,27910,27960
Note that the instructions say to use one or the other. You can't load
a driver twice, so your configuration probably won't work with Q2/Q3/QW.
> # PPP users:
> # ----------
Correct me if I'm wrong, but you can use the name of an interface in a
rule instead of using an IP. By doing so, you don't need to reload your
rules when the interface comes up (which will eventually leave you with
a LOT of extra rules, until the table fills). You can also simplify
installation, by not messing about with ip-up scripts.
MSG
--
To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
as the Subject.
