Tony:
Heya. Sorry for chiming in late, I had a busy weekend. :)
I believe the information about ipmasqadm "bypassing" ipchains is
incorrect. I've always known it to be described as:
http://www.tldp.org/HOWTO/IPCHAINS-HOWTO-4.html
Some nice ascii art there. Quoting from the first paragraph:
---------------
4.1 How Packets Traverse The Filters
The kernel starts with three lists of rules; these lists are called
firewall chains or just chains. The three chains are called input, output
and forward. When a packet comes in (say, through the Ethernet card) the
kernel uses the input chain to decide its fate. If it survives that step,
then the kernel decides where to send the packet next (this is called
routing). If it is destined for another machine, it consults the forward
chain. Finally, just before a packet is to go out, the kernel consults
the output chain.
----------------
This is why every port-forward rule in the firewall setup scripts
(like echowall, seawall, others) come in pairs: one to put an ACCEPT in
the input chain, and one to put a PORTFW into the forward chain using
ipmasqadm. If your input chain is DENY'ing all packets, the portfw
rules are never even consulted.
A different question I've heard asked before is "can my ipchains
firewall be attacked on an open-port that I have being port-forwarded
to an internal machine". To that, I've heard the answer is yes, as the
packet is processed by the kernel before it is forwarded along.
cheers,
Scott
> I didn't realize that ipmasqadm portfw bypassed ipchains. Actually, I am
> glad I know that now since I was thinking of using port forwarding for a
> couple of servers, I will think twice now.
>
> Thanks,
>
> Tony
[snip]
>> The use of ipmasqadm portfw allows the packets to pass untouched
>> by ipchains.
[old stuff deleted]
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
