On Wednesday 19 August 2009 00:11:36 Walter Dnes wrote: > IPCHAINS did the firewall job for me. Early versions of IPTABLES were > OK too. But it eventually developed the Mozilla disease, and became a > honking big routing/gatewaying/QOSing/singing/dancing monstrosity, of > which I required only a small fraction of its "functionality". And I'm > really confused as to which parts in netfilter/xtables/iptables I need > to build into the kernel.
netfilter is the kernel sub-system that does packet filtering. iptables is a user-space app that adds and deletes rules to netfilter. I have no idea what xtables is > I need a firewall (or even just a packet-filter) that will operate > with current Gentoo kernels, nothing more. I see a build for IPCHAINS. > Does it work with 2.6.29 and higher kernels? No. ipchains does not work with 2.6 at all, or even with 2.4. I suppose you could coerce it, but it's easier to just learn iptables. iptables is also conceptually simpler and much easier to understand. menuconfig is really simply laid out with regard to netfilter. The initial selection that opens up is all you need, so select the lot. You will only need the mangle stuff is you plan on fiddling packets as they pass through the kernel; you'll only need conntrack if you plan to build a stateful firewall (a good idea, actually) and you might want NAT as well. > Are there other > alternatives in alternate overlays? I'm not a programmer, but I can > expand a tarball and... There are two ways to build a packet filter, one good one bad : in-kernel: this makes sense as it's where the packets are. netfilter does this, you *could* replace it, but you will simply rip it out and replace it with something similar. user-space: now this is a stupid idea. Every packet moves out of kernel space into userspace and back into kernel space. Yuck, all that context switching. iptables really really is what you want. Google for "Rusty Russell's Unreliable Guide to iptables", he's the head dev and that document contains just about everything you need for basic firewall needs. If you want a front-end, I like shorewall. There are hundreds of others and they come with their own built in flamewar about which is best. Most are simply front ends to iptables. The best and most ultimate OSS packet filter in the whole wide world is without a doubt ipfw. But that's FreeBSD - not likely much use to you :-) -- alan dot mckinnon at gmail dot com
