Re: [Fwbuilder-discussion] Understand how to get efficient rulesets
Brought to you by:
mikehorn
From: Whit B. <wh...@tr...> - 2009-07-20 01:49:06
|
Found where my misunderstanding of the inevitability of the FORWARD chain generation came from. The Help screen on the "iptables: advanced settings" window, in the "Assume firewall is part of 'any'" section, speaks of generating FORWARD and INPUT rules when the option is on, and only FORWARD when it's off (and similarly for FORWARD and OUTPUT). I read this as saying that in all instances FORWARD rules are generated, while with "Assume ..." checked it would also generate the INPUT rules. What the brief explanation leaves out is the opposite case for local IPs, when leaving "Assume ..." unchecked will only generate INPUT rules, while having it checked results in INPUT plus FORWARD rules. So where it says "If the option is off, the compiler only generates code for the FORWARD chain," the complete story is "If the option is off, the compiler only generates code for the FORWARD or the INPUT chain, but not both." As written, taken literally, it seemed to be advising that the only way to generate code for the INPUT chain was to have "Assume ..." checked. Whit |