On Wed, Jan 10, 2007 at 08:49:20PM -0800, Paul Johnson wrote: > Douglas Tutty wrote: > > > On Wed, Jan 10, 2007 at 11:23:29AM -0800, Paul Johnson wrote: > > > >> I think shorewall assumes that you don't really want to block /all/ > >> outbound traffic and does the right thing, then. > > > > Before you assume this, you should check the netfilter docs. If by > > default I block all outgoing and incomming connections then there's no > > way to establish an 'existing' connection in the first place. If I > > allow outgoing http requests then the data is allowed back in without me > > opening the http port to allow incoming requests. That's the heart of > > netfilter. > > Aah, OK. I must be thinking ipchains or ipfw from back in the day or > something. Netfilter isn't such a pain by comparison to those two.
As I understand it, that's the big difference between netfilter/iptables and ipchains. Note that, at least for Sarge, some of the firewall-building packages use ipchains instead of iptables/netfilter. They're more difficult to get as tight a controll on packets. Shorewall lets you control each kind of packet for separate directions. Each of one's choices in the configuration is really a meta-choice; shorewall takes care of the nitty-gritty. Doug. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
