[Gllug] High Availability firewall

Bruce Richardson itsbruce at uklinux.net
Sun Apr 2 10:40:35 UTC 2006 

On Sat, Apr 01, 2006 at 12:04:21AM +0100, Nix wrote:
> I'm not sure if OpenBSD's networking layer is as capable as Linux's, though:
> you can really do a ridiculous number of things with the advanced routing
> features. (If you're still stuck using ifconfig and route you probably
> won't have noticed that these features even exist, but they've been there
> since the 2.2 kernel days... they connect to iptables in that firewall-
> marked packets can be routed differently and packets that came in via
> specific routing tables can be firewalled differently, but they're not
> in the same subsystem, nor maintained with the same tools.)

I love the policy routing capabilities and the ip tool itself is great.
If only there were something better than iptables to work with it.  I
realise that many of the individual iptables modules are very powerful
but I hate the overall design, especially compared to pf.  For example,
if you have a 2.6 box acting as a firewall and as an IPSec endpoint, you
may have to replicate some of the logic in each of the three most
commonly-used tables.  For an even more evil example, if I want to log
problem packets that the NAT code may be dropping, I have to put the
logging rule into the MANGLE table.  UGLY, UGLY, UGLY AND EVIL!

I can see why the iptables design prevents the creation of chains that
are common to all tables but that doesn't make it any more acceptable.
Most people who run up against this limitation seem to work round it
either by using fwmark (a very ugly way to solve the problem) or by
using templates to generate the rules in the hope that this will
minimise the occasions for error.  Still, I look at pf, where you can
give a chain of rules a return value and use it as a function, with
envy.

-- 
Bruce

Bitterly it mathinketh me, that I spent mine wholle lyf in the lists
against the ignorant.  -- Roger Bacon, "Doctor Mirabilis"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: Digital signature
URL: <http://mailman.lug.org.uk/pipermail/gllug/attachments/20060402/20c703f9/attachment.pgp>
-------------- next part --------------
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug

More information about the GLLUG mailing list