[CentOS] Firewall frustration

John R Pierce pierce at hogranch.com
Mon Dec 31 17:03:35 UTC 2007


Robert Spangler wrote:
> While IPTABLES might be CHEAP (price) it is a very good firewall.
> Learn to set it up from the command line, it isn't that hard.
> Try the following to learn it;
>
> http://iptables.rlworkman.net/chunkyhtml/index.html
>
> Forget those GUI interfaces.
>
>   


one thing that bugs me about most canned iptables rulesets, including 
the ones generated by most of those GUI packages, is that they are way 
more complex than needed, its like they are trying to reinvent the 
entire tcp stack.   eg: you really don't need to reject non-SYN packets 
on unopened connections, tcp will do that quite nicely on its own and 
far more efficiently than a pile of iptables rules.





More information about the CentOS mailing list