[ale] ipchains in 2.4.13

Transam transam at cavu.com
Fri Jan 25 15:46:10 EST 2002


> OK. When the guru of practical linux security speaks, I've learned it's
> a good idea to listen ;)

Thanks ;^)

> While I agree with everything that Bob noted, I must defend my statement
> that iptables is superior to ipchains.

> I based this opinion on two features of iptables missing in ipchains.

> 1. The structure of iptables is significantly clearer than ipchains.
> Packets that are to be relayed traverse the forward chain only by
> default. ipchains had relayed packets going through input, forward and
> output. Input and output, for iptables, are only for packets destined
> for the machine itself. That seems much clearer to me.

While this part of IP Tables' design seems elegant conceptually, in
reality it means duplicating rules, once for traffic to the Firewall
itself and again for forwarded traffic.  For traffic allowed on both
the Firewall itself and the network, such as SSH, DNS, and email, this
is a waste of time.  If one really wants to differenciate (e.g., SSH)
then this can be done by IP address or interface.

The "seeming elegant" but practically being a pain in the BLEEP is my
biggest criticism of IP Tables.  I'm tempted to grab the source to the
command and enhance it to remove most of the stupidity.  I.e., recognize
the IP Chains names of things, move "-p TCP" before "--dport", etc.  This
would go a long way to making IP Tables more usable.  I suppose I also
should improve the documentation, especially regarding the use of its
statefullness.

Heck, making the timeouts dynamic and randomizing the Masquerading
ports assigned would be an improvement.

> 2. The mark function of iptables worked. I was unable to mark specified
> packets in ipchains for specific routing needs.

> I'm sure someone could explain how to mark packets in ipchains. But when
> I emailed Rusty Russell, the chief architect of ipchains and iptables,
> requesting a pointer as to how to make it work, his reply was to use
> iptables for this, not ipchains. And it worked.

So you're saying that because you could not figure out how to mark packets
this is a defect in IP Chains?  My understanding is that it does work in
IP Chains; I'll probably be using marking in it soon.

I'm not saying that one should not use IP Tables.  I'm saying that as a
practical matter the difference is more like bash vs. csh or vi vs. emacs
rather than M$ vs Linux.

> --
> James P. Kinney III   \Changing the mobile computing world/
> President and COO      \          one Linux user         /
> Local Net Solutions,LLC \           at a time.          /
> 770-493-8244             \.___________________________./

> GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
> <jkinney at localnetsolutions.com>
> Fingerprint =3D 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7

Bob Toxen
transam at cavu.com                       [Bob's ALE Bulk email]
bob at cavu.com                           [Please use for email to me]
http://www.cavu.com                    [Network&Linux/Unix security consulting]
http://www.realworldlinuxsecurity.com/ [My 5* book:"Real World Linux Security"]
http://www.cavu.com/sunset.html        [Sunset Computer]
Fly-By-Day Consulting, Inc.      "Don't go with a fly-by-night outfit!"
Quality Linux & UNIX security and SysAdmin & software consulting since 1990.

---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.






More information about the Ale mailing list