Some dumb questions...

Some dumb questions...

[Joel Linuxdude]

I was referred to this list by one of the Netfilter guys on order to gleen 
some information needed to write a decent
tutorial/reference guide.

WARNING: POSSIBLE DUMB QUESTIONS. (But, ask me if I care!)

QUESTION: Would a packet created on the Netfilter PC first
go through the OUTPUT chain and then through POSTROUTING?
If so, what TABLE??? NAT? What about FILTER? I assume:
NetFilter system -> (nat)OUTPUT -> (nat)POSTROUTING -> Eth0 -> Internet

QUESTION: Absolutely everything coming INTO an interface
first goes to (nat)PREROUTING, right?

QUESTION: Netfilter PC has 3 workstations over Eth1 and they
are SNATing through Eth0 and out to the internet. What if
somebody conversing with the workstation over...say...
IRC gets the IP of the workstation (It would be the Netfilter
PC's IP) and pings it.....Of course, it would be pinging
the Netfilter PC and NOT the workstation, right? The workstation
would not even see any ICMP packets at all, right?

QUESTION: Where is the most effective place to stop spoofed
packets or block a port?
A) -t nat PREROUTING ???
B) -t filter INPUT (for local) and -t filter FORWARD (for LAN)?
C) Either A or B would work fine.
D) None. You're way off.


THANK YOU VERY MUCH! These answers will help me out a lot.

Joel






_________________________________________________________________
Choose an Internet access plan right for you -- try MSN! 
http://resourcecenter.msn.com/access/plans/default.asp

Re: Some dumb questions...

[Martin Josefsson]

On Sun, 2002-11-03 at 08:32, Joel Linuxdude wrote:
> I was referred to this list by one of the Netfilter guys on order to gleen 
> some information needed to write a decent
> tutorial/reference guide.
> 
> WARNING: POSSIBLE DUMB QUESTIONS. (But, ask me if I care!)

Please take these questions to the netfilter mailinglist, not the
development mailinglist. They have nothing to do with development.

-- 
/Martin

Never argue with an idiot. They drag you down to their level, then beat
you with experience.

Re: Some dumb questions...

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 2567 bytes --]

On Sun, Nov 03, 2002 at 02:32:34AM -0500, Joel Linuxdude wrote:
> I was referred to this list by one of the Netfilter guys on order to gleen 
> some information needed to write a decent tutorial/reference guide.

Joel, I'm happy that you are trying to contribute some documentation.

But I have to agree with the point raised by Martin...

> WARNING: POSSIBLE DUMB QUESTIONS. (But, ask me if I care!)

Questions are not dumb.  But you could have obtained (and still can!) the
anwers without raising this issue on the list again.

> QUESTION: Would a packet created on the Netfilter PC first
> go through the OUTPUT chain and then through POSTROUTING?
> If so, what TABLE??? NAT? What about FILTER? I assume:
> NetFilter system -> (nat)OUTPUT -> (nat)POSTROUTING -> Eth0 -> Internet

This has been answered over and over again. please check the list archives.

Once you have understand the underlying architecture, it should become
obvious anyway.

> QUESTION: Absolutely everything coming INTO an interface
> first goes to (nat)PREROUTING, right?

you seem to confuse netfilter hooks with chain names. Yes, everything
goes to the netfilter NF_IP_PRE_ROUTING hook.  Whataver happens next depends
on your setup/configuration/... 

> QUESTION: Netfilter PC has 3 workstations over Eth1 and they
> are SNATing through Eth0 and out to the internet. What if
> somebody conversing with the workstation over...say...
> IRC gets the IP of the workstation (It would be the Netfilter
> PC's IP) and pings it.....Of course, it would be pinging
> the Netfilter PC and NOT the workstation, right? The workstation
> would not even see any ICMP packets at all, right?

of course.

> QUESTION: Where is the most effective place to stop spoofed
> packets or block a port?
> A) -t nat PREROUTING ???

the nat table is for _NAT_, not for filtering.

> B) -t filter INPUT (for local) and -t filter FORWARD (for LAN)?

we are talking about filtering packets, so we obviously use the 'filter'
table.

> THANK YOU VERY MUCH! These answers will help me out a lot.

As stated before, if you are wanting to write decent documentation,
please try reading the list (esp. netfilter-devel) archives fist.
Thanks.

> Joel

-- 
Live long and prosper
- Harald Welte / laforge@gnumonks.org               http://www.gnumonks.org/
============================================================================
"If this were a dictatorship, it'd be a heck of a lot easier, just so long
 as I'm the dictator."  --  George W. Bush Dec 18, 2000

[-- Attachment #2: Type: application/pgp-signature, Size: 232 bytes --]

Re: Some dumb questions...

[Oskar Andreasson]

Joel,

See http://www.netfilter.org and http://iptables-tutorial.frozentux.net, 
both sites should answer all your questions. Sidenote, take martins 
advice, these questions are not development related. 

On Sun, 3 Nov 2002, Joel Linuxdude wrote:

> I was referred to this list by one of the Netfilter guys on order to gleen 
> some information needed to write a decent
> tutorial/reference guide.
> 
> WARNING: POSSIBLE DUMB QUESTIONS. (But, ask me if I care!)
> 
> QUESTION: Would a packet created on the Netfilter PC first
> go through the OUTPUT chain and then through POSTROUTING?
> If so, what TABLE??? NAT? What about FILTER? I assume:
> NetFilter system -> (nat)OUTPUT -> (nat)POSTROUTING -> Eth0 -> Internet
> 
> QUESTION: Absolutely everything coming INTO an interface
> first goes to (nat)PREROUTING, right?
> 
> QUESTION: Netfilter PC has 3 workstations over Eth1 and they
> are SNATing through Eth0 and out to the internet. What if
> somebody conversing with the workstation over...say...
> IRC gets the IP of the workstation (It would be the Netfilter
> PC's IP) and pings it.....Of course, it would be pinging
> the Netfilter PC and NOT the workstation, right? The workstation
> would not even see any ICMP packets at all, right?
> 
> QUESTION: Where is the most effective place to stop spoofed
> packets or block a port?
> A) -t nat PREROUTING ???
> B) -t filter INPUT (for local) and -t filter FORWARD (for LAN)?
> C) Either A or B would work fine.
> D) None. You're way off.
> 
> 
> THANK YOU VERY MUCH! These answers will help me out a lot.
> 
> Joel
> 
> 
> 
> 
> 
> 
> _________________________________________________________________
> Choose an Internet access plan right for you -- try MSN! 
> http://resourcecenter.msn.com/access/plans/default.asp
> 
> 
> 

-- 
----
Oskar Andreasson
http://www.frozentux.net
http://iptables-tutorial.frozentux.net
http://ipsysctl-tutorial.frozentux.net
mailto:blueflux@koffein.net

some dumb questions

[Lennert Buytenhek]

Hi all,

Some dumb questions from a dumb person..

In vm_operations_struct there are pointers for (*advise), (*nopage),
(*wppage), et cetera. wppage is never used or called by any code
(copy-on-write is the default behaviour). Why is this? What if I want
my own wppage handler? Having the fn ptr member but not using it
doesn't make sense, IMHO. Also, I believe (*advise) isn't used
either.

Some other small things:
1. struct vm_area_struct -> struct vm_area ?
2. struct vm_operations_struct -> struct vm_area_operations ?
3. /dev/sysvipc/shm/1234 or /proc/sysvipc/shm/1234 ??

(This last suggestion just might start a holy war.... :-)

Thanks,

Lennert Buytenhek
<buytenh@dsv.nl>


--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org.  For more info on Linux MM,
see: http://humbolt.geo.uu.nl/Linux-MM/