One thing that we give up with iptables-restore is the ability to include DNS names in Shorewall config files (iptables-restore does not perform DNS name resolution). I personally don''t consider that a great loss since I''ve never used that feature and I actively discourage others from using it. But it would be another compatibility issue. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ leaf-devel mailing list leaf-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-devel
Mike Noyes
2007-Feb-28 18:11 UTC
Re: Adopting iptables-restore to instantiate Shorewall rules
On Wed, 2007-02-28 at 07:44, Tom Eastep wrote:> One thing that we give up with iptables-restore is the ability to include > DNS names in Shorewall config files (iptables-restore does not perform DNS > name resolution). I personally don''t consider that a great loss since I''ve > never used that feature and I actively discourage others from using it. > > But it would be another compatibility issue.Tom, I guess it depends on whether the iptables-restore speed increase outweighs the compatibility issue(s). -- Mike Noyes <mhnoyes at users.sourceforge.net> http://sourceforge.net/users/mhnoyes/ SF.net Projects: leaf, sitedocs ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Paul Gear
2007-Feb-28 23:26 UTC
Re: [leaf-devel] Adopting iptables-restore to instantiate Shorewall rules
Mike Noyes wrote:> On Wed, 2007-02-28 at 07:44, Tom Eastep wrote: >> One thing that we give up with iptables-restore is the ability to include >> DNS names in Shorewall config files (iptables-restore does not perform DNS >> name resolution). I personally don''t consider that a great loss since I''ve >> never used that feature and I actively discourage others from using it. >> >> But it would be another compatibility issue. > > Tom, > I guess it depends on whether the iptables-restore speed increase > outweighs the compatibility issue(s).I vote for iptables-restore speed over DNS support. :-) -- Paul <http://paulgear.webhop.net> -- Did you know? Viewing your email in HTML mode makes you more vulnerable to ''phishing'' (fraudulent email) and ''spam'' (junk email). Find out more about protecting yourself at <http://www.spamhelp.co.uk/2004/05/dont-use-webmail-view-html-spam-emails.html>. ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Tuomo Soini
2007-Mar-01 10:00 UTC
Re: Adopting iptables-restore to instantiate Shorewall rules
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tom Eastep wrote:> One thing that we give up with iptables-restore is the ability to include > DNS names in Shorewall config files (iptables-restore does not perform DNS > name resolution). I personally don''t consider that a great loss since I''ve > never used that feature and I actively discourage others from using it. > > But it would be another compatibility issue.True. But DNS names should never ever be used for firewalling anyway. And it''s still possible to use something like using params and variables generated there is always better solution anyway. - -- Tuomo Soini <tis@foobar.fi> Linux and network services +358 40 5240030 Foobar Oy <http://foobar.fi/> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFF5qRXTlrZKzwul1ERApPtAJ4qfa0WWVxnrDmEJcbRi75uuS8WSQCfSg6G 7DOac/OnNgstw7YcHPFq7Uk=KlFf -----END PGP SIGNATURE----- ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV