[lug] RH 7.x word of caution

D. Stimits stimits at idcomm.com
Wed Jun 6 21:56:19 MDT 2001 

kevin at scrye.com wrote:
> 
> >>>>> "D" == D Stimits <stimits at idcomm.com> writes:
> 
> D> Kevin Fenzi wrote:
> >> yeah, looks like the redhat 'ipchains' init.d entry doesn't check
> >> the return status of ipchains. You guys might want to file a bug in
> >> the redhat bugzilla on that one...
> 
> D> I did earlier today.
> 
> excellent. :)

Somehow failing to check the return value of something so significant
reminds me of the story of a supertanker that went under and killed
everyone onboard because a small personel hatch at the bow wasn't
latched.

> 
> >> I am using netfilter on my firewall just fine. It's much nicer than
> >> ipchains and seems to work well.
> 
> D> Will the current ipchains rules work on netfilter, or must they be
> D> converted? This is my quandry...deciding what I need to do if I
> D> will use iptables instead of ipchains, with an interest only in
> D> packet filtering.  What are the options?
> 
> you would have to convert them. The syntax is much the same, but there
> are diffrences.
> 
> I would reccomend looking at some of the nice iptables scripts that
> have sprung up (check freshmeat) and see if you can fix one of those
> to meet your needs. ;)

I'm having a hell of a time finding complete info on netfilter. The man
pages, HOWTO, FAQ, kernel Documentation, so on, are all very incomplete.
One of my problems is that apparently there is a different kernel module
required for each change, DENY, one for REJECT (or is it DROP?), one for
MASQ, so on. I have compiled with a ton of iptables modules enabled, but
I cannot get the right module for DENY. The kernel
Documentation/Configure.help does not give direct comments to say that a
particular module is used for DENY. Worse, some of the old ipchains
functionality, it simply states it is now required to be downloaded
separately...one can find this separate source, and even install it, but
there is absolutely no useful documentation after that...I fail to see
how RH ever got the 2.4.2 kernel they use to work with ipchains. If
using iptables -t filter, some parts are very similar to ipchains, but
when I try them and restart iptables, it does not work as expected (no
denial or reject seems possible, but the machine at the other end gave
error reports...the chain rule I tried did not block or drop, but it did
mangle things to the point that xinetd had to be restarted on the other
end).

I will look at freshmeat, but I would be very happy if someone here
could tell me exactly what modules in the more recent kernels (I am
using 2.4.5 with ac patches or 2.4.6 pre1 at the moment...except when
connected to the internet I must use 2.4.2) I need to do the following:
ACCEPT
REJECT
DENY
MASQ

Next, can anyone tell me how to log? I see vague references to
syslog.conf containing the log levels, but absolutely no samples. Is it
not possible to create a rule that simultaneously REJECTs or DENYs,
while logging? Does each log type also need its own kernel module?
Documentation totally sucks.

Needless to say, I'm not having any fun yet.

D. Stimits, stimits at idcomm.com

> 
> D> D. Stimits, stimits at idcomm.com
> 
> kevin
> --
> Kevin Fenzi
> MTS, tummy.com, ltd.
> http://www.tummy.com/  KRUD - Kevin's Red Hat Uber Distribution
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug

More information about the LUG mailing list