[Centos] Messing around with iptables

Fri Aug 27 17:49:59 UTC 2004
Eric Sorenson <ahpook at gmail.com>

Sorry chiming in a bit late, but the best iptables scripting tool I've
found is firehol:
 http://firehol.sf.net/
It's actively maintained, makes really tight rules, and provides the right level
of abstraction for making obvious what you intend the firewall to do without
getting bogged down in the arcana of either a scripting language or iptables.

It's especially useful for iptables machines where there's more than one person
maintaining the firewall because it keeps the "What the hell were they
thinking?!"
factor down to a minimum.

And, obviously, if you're just getting started in firewalling it's far
better to have
something you can understand and make small modifications to, rather than
blindly ginning up iptables rules -- a bad firewall is worse than no
firewall because
it gives you a false sense of security. Firehol's "explain" mode prints out the
rules it *would* generate for a given directive to help you undertand iptables.

And, while we're on the subject, I would be remiss if I didn't include
a link to
a very helpful diagram for understanding iptables:
http://l7-filter.sourceforge.net/PacketFlow.png

Cheers
-=Eric