On Tue, Mar 05, 2002 at 04:55:50PM +1100, DaZZa wrote: > On Tue, 5 Mar 2002, Andy Eager wrote: > > > Certainly pretty good as far as a basic explanation goes, problem is > > that masquerading is not yet up to the level of ipchains and thats what > > most people want. (One IP address, masqueraded to many machines for use > > with ftp, realaudio etc). I still reckon that ipchains with a 2.2 > > kernel is still the simplest and most generally accepted way to do > > firewalling if you want particular services masqueraded. > > I'm interested to know your reasoning here. > > What, exactly, doesn't work under iptables? > > I have a 2.4 kernel running iptables, and it seems to do everything fine - > telnet, ssh, ftp, ICQ, irc, real audio, http, https - I haven't found > anything yet that _doesn't_ work.
I believe that DCC using the irc modules is known to have problems. The main problem with netfilter is that conntracking doesn't work that well if you have to use multiple protocols (i.e. FTP and say, DCC or H323). The connection tracking stuff assumes only one protocol will be making use of it. Hence the rewrite that is occuring of the conntrack portion. Cheers, Anand PS: At Linux.Conf.Au Rusty mentioned most of this -- just to rub salt into the wounds of those who weren't there. -- `` We are shaped by our thoughts, we become what we think. When the mind is pure, joy follows like a shadow that never leaves. '' -- Buddha, The Dhammapada -- SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
