On Mon, 2005-02-21 at 11:13 +1100, Devraj Mukherjee wrote: > I have managed to setup my default firewall rules using iptables. I > noticed on a Red Hat box that I run, that it creates a new chain called > RH-ToolKit and forwards the INPUT chain to the RH-ToolKit chain.
I've never used RedHat, but the naming of the chain suggests that the RedHat tools modify the contents of the RH-ToolKit chain, while leaving the other entries in INPUT alone. This would prevent RH-ToolKit from hosing your handcrafted iptables setup. > I just wanted to ask if there are any obvious advantages of doing that > over just modifying the rules in the INPUT chain. As the complexity of a firewall increases, you're going to need chains to keep things organised. A simple firewall protecting a workstation is unlikely to need additional chains, where as a border router protecting a DMZ and internal network is an entirely different matter. In the end, I suppose it's personal preference. Given today's hardware, the performance impact of using chains should be negligible in most situations. Give me the the readability of chains any day! Just be aware that the use of chains alone does not guarantee readability. If you don't plan out your firewall config first, you can easily end up with an untraceable (and inefficient) mess of chains-calling-chains-calling-chains-calling-chains :-) Cheers -- Andrew Ross IT Officer Whitley College
