Conceptual Change in IP Filtering
Rusty Russell
rusty@linuxcare.com.au
Mon, 07 Feb 2000 12:39:45 +1100
In message <20000128161658.B23314@adm079.unix.swx.ch> you write:
> Something which is really broken in Linux IPFW concept is the
> idea of input/forward/output chain. Basically, it means that I
> have to replicate the IP config in the FW setup script.
I agree. This is why the chains have moved in iptables to match the
way people think about their traffic.
Also, the addition of the input interface information to the FORWARD
chain means you don't have to reproduce your routing info to figure
out where a packet came from there.
> It would be much more simple if I could use code like this:
>
> $cmd -allow source ports dest ports
Allow? You mean allow them to come in to, go out from, or pass
through the box? If you really want all of these, you can do:
iptables -N MEGACHAIN
iptables -A INPUT -j MEGACHAIN
iptables -A FORWARD -j MEGACHAIN
iptables -A OUTPUT -j MEGACHAIN
Now you can add your rules to MEGACHAIN and be done. A similar logic
applies to ipchains.
Hope that helps,
Rusty.
--
Hacking time.