replacement of iptables

[Derick Centeno]

Please excuse my interruption on a prior thread.

However, the implementation or replacement of how iptables have worked
has changed in the newer kernels and they could be invoked differently
as well. I am merely reporting the existance of these "progressive"
changes; I didn't design them.  They will affect others more deeply than
myself as my system needs BootX and I'm not getting a current Mac OS
anytime soon in the forseeable future.

I can appreciate your statement of disbelief Matthias; I felt quite the
same way when standard C++ all of a sudden was now invoking globals! 
...Who knew??

Not I and certainly not others who wrote to both the newbie and general
lists and wondered want was going on.  One of the regulars of the YDL
list suggested an updated library but from the recommendation made there
was no suspicion of actual syntax changes.  I discovered the details by
chasing the problem down.

This change regarding the iptables appears to me similar. There are very
few things in Linux which can change without requiring updates, 
changes and adaptations elsewhere.  As iptables are important in
firewalls which I do implement by the way on my current system; my
effort is merely to recommend that others, who have the modern Macs and
OS's,the appropriate kernels etc. follow through and explore the nuances
and differences which I cannot.

However, nothing will occur if all believe that everything is the same
when in fact it is very much NOT the same.  Even if the implementation
is better, which it may well be... that itself is a difference if one is
concerned regarding security, one must have the details and master them
completely.

I'm interested in encouraging an exploration of the changes and how to
use those changes for those interested in taking advantage of them; I'm
not interested in maintaining a false sense of security or initiating a
sense that EVERYTHING is so different as to be worthless and cause for
concern.

No...for me a "Heads up"...merely is another method of invoking
attention in the pure sense of requesting that a focus upon this
particular change or improvement -- call it as you please -- requires
focus and attention due to the fact that iptables are important enough
that attention is called for and warranted regarding what has changed,
improved and how to use it in its new form.  

I am not asking for similar attention for a mere theme, desktop
background image or pet interface environments.  No...iptables as
security tools... deserve our focussed scrutiny and sober exploration
even if the designers are close, or may even be, at the genius class of
intellect.  Firewalls, iptables and security should be the business of
those who have something to protect and cherish.

Surely privacy is worth improving defense of...the common person would
no doubt consider placing the best lock and system would could afford or
design to implement in one's home and build upon that with a combined
community support or volunteer effort as cooperative auxiliaries of
one's local police force.  How would not be as careful with one's
computer system and the data it keeps, utilizes and shares?

On Fri, 2004-09-17 at 15:40, Matthias Saou wrote:
> Derick Centeno wrote :
> 
> > I think it would be a good idea to give a "Heads up" on this list
and
> > notify those who may be interested that iptables are completely
replaced
> > in higher level kernels with a new technology. [...]
> 
> 1) This is simply not true. Maybe you meant the netfilter core?
> 2) This doesn't have anything to do with the current thread.
> 
> I really don't get what you were trying to say... network devices
should
> still be labeled the same, and only a few kernel modules change name
now
> and then (Realtek 8139 would be a good example), but overall
firewalling
> hasn't changed as much from 2.4 to 2.6 kernels as it had from 2.2 to
2.4
> when netfilter/iptables was introduced.
> 
> Matthias