replacement of iptables

Matthias Saou yellowdog-general@lists.terrasoftsolutions.com
Sat, 18 Sep 2004 02:42:23 +0200 

Derick Centeno wrote :

> Please excuse my interruption on a prior thread.
> 
> However, the implementation or replacement of how iptables have worked
> has changed in the newer kernels and they could be invoked differently
> as well. I am merely reporting the existance of these "progressive"
> changes; I didn't design them.  They will affect others more deeply than
> myself as my system needs BootX and I'm not getting a current Mac OS
> anytime soon in the forseeable future.
> 
> I can appreciate your statement of disbelief Matthias; I felt quite the
> same way when standard C++ all of a sudden was now invoking globals! 
> ...Who knew??
> 
> Not I and certainly not others who wrote to both the newbie and general
> lists and wondered want was going on.  One of the regulars of the YDL
> list suggested an updated library but from the recommendation made there
> was no suspicion of actual syntax changes.  I discovered the details by
> chasing the problem down.
> 
> This change regarding the iptables appears to me similar. There are very
> few things in Linux which can change without requiring updates, 
> changes and adaptations elsewhere.  As iptables are important in
> firewalls which I do implement by the way on my current system; my
> effort is merely to recommend that others, who have the modern Macs and
> OS's,the appropriate kernels etc. follow through and explore the nuances
> and differences which I cannot.
> 
> However, nothing will occur if all believe that everything is the same
> when in fact it is very much NOT the same.  Even if the implementation
> is better, which it may well be... that itself is a difference if one is
> concerned regarding security, one must have the details and master them
> completely.
> 
> I'm interested in encouraging an exploration of the changes and how to
> use those changes for those interested in taking advantage of them; I'm
> not interested in maintaining a false sense of security or initiating a
> sense that EVERYTHING is so different as to be worthless and cause for
> concern.
> 
> No...for me a "Heads up"...merely is another method of invoking
> attention in the pure sense of requesting that a focus upon this
> particular change or improvement -- call it as you please -- requires
> focus and attention due to the fact that iptables are important enough
> that attention is called for and warranted regarding what has changed,
> improved and how to use it in its new form.  
> 
> I am not asking for similar attention for a mere theme, desktop
> background image or pet interface environments.  No...iptables as
> security tools... deserve our focussed scrutiny and sober exploration
> even if the designers are close, or may even be, at the genius class of
> intellect.  Firewalls, iptables and security should be the business of
> those who have something to protect and cherish.
> 
> Surely privacy is worth improving defense of...the common person would
> no doubt consider placing the best lock and system would could afford or
> design to implement in one's home and build upon that with a combined
> community support or volunteer effort as cooperative auxiliaries of
> one's local police force.  How would not be as careful with one's
> computer system and the data it keeps, utilizes and shares?

Wow, I'm impressed : 9 big fat paragraphs about this "important iptables
design change that will affect us all", but not a single detail or hint
about what it really is. Because frankly, I don't have a single clue about
what you're precisely referring to... and yes, I have some pretty funky
firewall rules, may it be for masquerading, advanced routing, rate
limiting, hooking userland tools to given traffic or simply protecting
hosts with both 2.4 (what YDL3 has) and 2.6 (what YDL4 will have) kernels,
and definitely don't know of any major change between the both, not even in
the way the "iptables" service is handled (or maybe you meant the better
automatic loading of specific modules through the new sysconfig file?).
Anyway, please feel free to share more technical points. I'm pretty sure
the vast majority of the people on this list are techies who will gladly
join insightful discussions.

Matthias

-- 
Clean custom Red Hat Linux rpm packages : http://freshrpms.net/
Fedora Core release 2 (Tettnang) - Linux kernel 2.6.8-1.521
Load : 0.07 0.07 0.02