Re: Firewall: Please Advise

From: "Michael Schwendt" <rh0210ms arcor de>

> On Fri, 11 Oct 2002 04:10:56 -0700, jdow wrote:

> > And every one of them said it is basically impossible to pass most
> > of the additional protocols that are passed via the ip_masq_xxxx
> > protocol modules for IPChains.

> So, are you back to kernel 2.2? Because the ipchains
> compatibility module in the 2.4 series is limited, isn't it?

Both IPTables and IPChains are limited.

> Somewhere on the netfilter page (probably in a howto) it reads that
> ip_masq_xxxx-like protocol-specific IP masquerading modules are
> not needed with iptables, because those protocols just work with
> netfilter (due to its architecture being different).

Yeah, I saw that. But NOWHERE do they say how to make it work. And
I had IPTables setup, which is how I learned, the hard way, that it
didn't work. That lead to my reading experience. This is precisely
the reason the author of the TrinityOS Project (a very secure Linux)
has not moved to IPTables. The IPTables are simply too limited as
they exist today.

> On one of the netfilter lists (probably netfilter-devel) I've
> read about a couple of helper modules for special protocols.
> You might want to ask there. Of course, if you are entirely
> happy with ipchains, why change? ;)

One would expect the Netfilter site, the developers' site, would
have word of these modules. I have looked. The only two modules
that exist are ftp and icu. There are at least a half dozen modules
for IPChains to facilitate such things as the H.232 conferencing
protocol and so forth.

Believe me, as soon as it is shown IPTables can do at least as much
as IPChains I will change. In the meantime IPTables exhibit only a
theoretical superiority. Much of their superiority is not needed at
this site. The gateway/firewall machine is grossly underloaded. So
the time efficiency is not needed. What is needed is security and
protocol support.


