user defined chains

user defined chains

[Payal Rathod]

Hi,
If I want to design a firewall for a network on a high end machine
with lot of RAM and swap, is there any real use of user defined
chains? I find them difficult so I would like to use only the built-in
chains. Is that ok?

With warm regards,
-Payal

Re: user defined chains

[John A. Sullivan III]

Payal Rathod wrote:
> Hi,
> If I want to design a firewall for a network on a high end machine
> with lot of RAM and swap, is there any real use of user defined
> chains? I find them difficult so I would like to use only the built-in
> chains. Is that ok?
> 
> With warm regards,
> -Payal
It may be OK but you will severely limit what you can do.  If your 
security environment is simple, that will be fine.  If it is not, user 
defined chains are a real blessing.  We use them extensively in the ISCS 
project (http://iscs.sourceforge.net) to handle very complicated and 
frequently changing security configurations.  In fact, they are the 
entire key to our access control magic and much of our automated NAT 
configuration.

Again, unless your environment is very simple, it is probably well worth 
your time to become very familiar with user defined chains.  Oskar 
Andreasson has an excellent tutorial in the tutorials section of 
http://www.netfilter.org and there are training slide shows in the 
training section on the ISCS web page.  Good luck - John
-- 
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com
---
If you are interested in helping to develop a GPL enterprise class
VPN/Firewall/Security device management console, please visit
http://iscs.sourceforge.net

Re: user defined chains

[Antony Stone]

On Monday 12 July 2004 7:49 pm, Payal Rathod wrote:

> Hi,
> If I want to design a firewall for a network on a high end machine
> with lot of RAM and swap, is there any real use of user defined
> chains? I find them difficult so I would like to use only the built-in
> chains. Is that ok?

Yes.

Antony.




(Okay, for a fuller answer, use user-defined chains if you want to, don't use 
them if you prefer - it makes no difference to netfilter so long as you can 
understand the rules enough to get them to do what you want them to.)

-- 
Users don't know what they want until they see what they get.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: user defined chains

[Antony Stone]

On Monday 12 July 2004 8:51 pm, John A. Sullivan III wrote:

> Payal Rathod wrote:
> > Hi,
> > If I want to design a firewall for a network on a high end machine
> > with lot of RAM and swap, is there any real use of user defined
> > chains? I find them difficult so I would like to use only the built-in
> > chains. Is that ok?
>
> It may be OK but you will severely limit what you can do.  If your
> security environment is simple, that will be fine.  If it is not, user
> defined chains are a real blessing.
>
> Unless your environment is very simple, it is probably well worth
> your time to become very familiar with user defined chains.

Despite my somewhat simplistic previous answer, I agree with this also.

I guess earlier I should have said "yes, so long as you can do what you need 
to".

Regards,

Antony.

-- 
"I estimate there's a world market for about five computers."

 - Thomas J Watson, Chairman of IBM

                                                     Please reply to the list;
                                                           please don't CC me.