On Sun, 31 Dec 2000, Jonathan Ben-Avraham wrote:
> The ipchains HOWTO contains an example firewall configuration with
> separate chains defined for each triple of source network, destination
> network and direction. That is, there are chains "net-dmz", "dmz-net",
> "net-int", "int-net", "int-dmz" and "dmz-int". Is there any really good
> reason not to simply leave all of rules in the forward chain? What do you
> gain by splitting the forward rules into so many separate chains?
i haven't read the howto, so i'm just plain old edu-guessing, based on my
experience with playing with various odd features of ipchains. the split
into several chains ought to make the "code" easier to read and maintain,
much like a program's source code is broken down into functions (each
chain is the equivalent of a function call, more or less).
computation-wise, there is no extra functionality gained by splitting the
rules into seperate chains. i would guess that some security experts would
advise against using several chains, using their rule that you can't
achive good security in a complex system, and when you keep the rules in a
single chain, you can see them all together, which is important, too.
btw, in the new kernel (2.4), where netfilter is used, there is a new
notion of tables. unlike usage of multiple chains, usage of multiple
tables does add extra functionality, in that it allows you to have one set
of rules perform a complete "computation", and then the packets coming out
of it are re-processed by the rules in a second table. i already so a case
where this allowed for more functionality then s possible using kernel
2.2's chains.
--
guy
"For world domination - press 1,
or dial 0, and please hold, for the creator." -- nob o. dy
=================================================================
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]
