« Web hosting solutions - documents will contain the most accurate and up-to-date
tionality can (Unlimited web hosting) be extended without recompiling it. It »

Yahoo web hosting - Consider the case of a configuration for which

Consider the case of a configuration for which the default policy for each of the input, forward, and output chains is deny. In IP chains, six rules would be needed to allow any session through a firewall host: two each in the input, forward, and output chains (one would cover each forward path and one would cover each return path). You can imagine how this could easily become extremely complex and difficult to manage when you want to mix sessions that could be routed and sessions that could connect to the local host without being routed. IP chains allow you to create chains that would simplify this task a little, but the design isn’t obvious and requires a certain level of expertise. In the netfilter implementation with iptables, this complexity disappears completely. For a service to be routed across the firewall host, but not terminate on the local host, only two rules are required: one each for the forward and the reverse directions in the forward chain. This is the obvious way to design firewalling rules, and will serve to simplify the design of firewall configurations immensely. Figure 9.9: Datagram processing chain in netfilter The PACKET-FILTERING-HOWTO offers a detailed list of the changes that have been made, so let’s focus on the more practical aspects here. Backward Compatability with ipfwadm and ipchains The remarkable flexibility of Linux netfilter is illustrated by its ability to emulate the ipfwadm and ipchains interfaces. Emulation makes transition to the new generation of firewall software a little easier. The two netfilter kernel modules called ipfwadm.o and ipchains.o provide backward compatibility for ipfwadm and ipchains. You may load only one of these modules at a time, and use one only if the ip_tables.o module is not loaded. When the appropriate module is loaded, netfilter works exactly like the former firewall implementation. netfilter mimics the ipchains interface with the following commands: rmmod ip_tables modprobe ipchains ipchains … Using iptables The iptables utility is used to configure netfilter filtering rules. Its syntax borrows heavily from the ipchains command, but differs in one very significant respect: it is extensible. What this means is that its func

This entry was posted on Saturday, August 25th, 2007 at 2:20 pm and is filed under Domain. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply