From: "John A. Sullivan III" <john.sullivan@nexusmgmt.com>
To: Victor Julien <victor@nk.nl>
Cc: Netfilter Developers List <netfilter-devel@lists.netfilter.org>
Subject: Re: Creating rules without the /sbin/iptables command?
Date: Thu, 18 Mar 2004 09:12:27 -0500 [thread overview]
Message-ID: <1079619146.2004.26.camel@localhost> (raw)
In-Reply-To: <40599B7D.8020804@nk.nl>
On Thu, 2004-03-18 at 07:52, Victor Julien wrote:
> John A. Sullivan III wrote:
>
> <snip>
>
> >>
<snip>
> >>But the easiest way is to recreate the initial ruleset with the updated
> >>rules would be:
> >>
> >>*filter
> >>:FORWARD DROP
> >>-A FORWARD -p tcp -s 192.168.0.1 --dport 80 -j ACCEPT
> >>-A FORWARD -p tcp -s 192.168.0.4 --dport 80 -j ACCEPT
> >>-A FORWARD -p tcp -s 192.168.0.3 --dport 80 -j ACCEPT
> >>COMMIT
> >>
> >>and then just call iptables-restore. This way i wont have to calculate
> >>where i want to insert the rules, this can be quite complex on many
> >>changes in large rulessets. Is this correct?
> >
> > Yes, although when ISCS is released (http://iscs.sourceforge.net), it
> > will provide an alternative to having to track rule order (massive
> > oversimplification here but it is not the topic at hand).
>
> But how will ISCS handle this problem? Will it also create input for
> iptables-restore? Or do you have some other method?
Yes, it creates input files for iptables restore and is also able to
create configuration files for other firewalls (as well as the VPN
configuration, the router configuration, the NAT configuration and any
local DHCP configuration and, hopefully soon, all the layer2
configuration for the individual gateways). However, rather than relying
exclusively upon rule order, it uses an approach we call "Best Match".
This allows us to automate the creation of all rules from a high level
description of the environment. The idea is to eliminate the need for
an administrator to create rules. Instead, we interpret the
environment, e.g., "give these three teams access to the new joint
development project data", and create consistent rules for access
control, user authentication, encryption, data authentication, routing,
NAT, etc, to produce that environment.
>
> >
> >>The last method should still be way faster than my current method, i
> >>guess. Is this right?
> >
> > I have found it to be dramatically faster - John
>
> Good!
>
> Regards,
> Victor
>
> >
> >>Regards,
> >>Victor
--
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com
next prev parent reply other threads:[~2004-03-18 14:12 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-03-17 18:46 Creating rules without the /sbin/iptables command? Victor Julien
2004-03-17 19:25 ` Cedric Blancher
2004-03-17 20:59 ` Victor Julien
2004-03-18 8:56 ` Cedric Blancher
2004-03-17 21:34 ` Henrik Nordstrom
2004-03-17 21:34 ` Henrik Nordstrom
2004-03-17 21:53 ` Victor Julien
2004-03-17 23:08 ` John A. Sullivan III
2004-03-17 23:45 ` Henrik Nordstrom
2004-03-17 23:59 ` John A. Sullivan III
2004-03-18 1:15 ` Henrik Nordstrom
2004-03-18 1:30 ` John A. Sullivan III
2004-03-18 1:34 ` Scott MacKay
2004-03-18 8:17 ` Henrik Nordstrom
2004-03-18 7:25 ` Victor Julien
2004-03-18 8:07 ` Henrik Nordstrom
2004-03-18 12:49 ` Victor Julien
2004-03-18 23:45 ` Henrik Nordstrom
2004-03-19 19:01 ` Victor Julien
2004-03-19 22:03 ` Henrik Nordstrom
2004-03-19 22:16 ` Victor Julien
2004-03-19 22:41 ` Henrik Nordstrom
2004-03-19 22:56 ` Victor Julien
2004-03-20 1:52 ` Henrik Nordstrom
2004-03-18 11:29 ` John A. Sullivan III
2004-03-18 12:52 ` Victor Julien
2004-03-18 14:12 ` John A. Sullivan III [this message]
2004-03-23 16:23 ` Adding packet metadata Scott MacKay
2004-03-24 0:06 ` Henrik Nordstrom
2004-03-24 7:38 ` Mike-Ro-Chanel
2004-03-24 8:01 ` Henrik Nordstrom
2004-03-24 8:18 ` Mike-Ro-Chanel
2004-03-24 11:52 ` Scott MacKay
2004-03-24 15:05 ` Henrik Nordstrom
2004-03-17 23:04 ` Creating rules without the /sbin/iptables command? John A. Sullivan III
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1079619146.2004.26.camel@localhost \
--to=john.sullivan@nexusmgmt.com \
--cc=netfilter-devel@lists.netfilter.org \
--cc=victor@nk.nl \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.