Hi, where I work, I have developed a framework to flexibly initialize netfilter packet filter rules called netfilter-init. We install it from a debian file, and the code is licensed GPL. It currently does what we need, but that is not enough for a package in Debian.
The package is currently lacking support for dynamic IP addresses, and building the packet filter rules is way too slow. Our most complex machine takes seven minutes to build a new rule set. It is so slow because everything is implemented as shell scripts. There are plans to convert the significant part of code to C++ and to use iptables --restore to establish the rule set instead of issueing bazillions of iptables calls. Rene Mayrhofer's gibraltar does use our framework, and so does our own firewall product. I am wondering if a package in this state of code would be a good idea in experimental. No way it will be in unstable unless the speed issues are solved and support for dynamic IP addresses is established. May I ask for some comments about this? Greetings Marc -- -------------------------------------- !! No courtesy copies, please !! ----- Marc Haber | " Questions are the | Mailadresse im Header Karlsruhe, Germany | Beginning of Wisdom " | Fon: *49 721 966 32 15 Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fax: *49 721 966 31 29