cheers Tom and folks, First of all: Thank you, Tom! :-) Shorewall is a great firewall, I love it. Just updated the router/firewall for a small home network. Smoothless, it just works. Keep up your good work. While updating, I wondererd about some points: 1) I have one internet zone and 2 local zones. As I trust the users in the local zones, I want to allow any traffic. Concerning speed and simplicity of chains, is it better to have one policy "loc all ACCEPT" or defining every single "loc <zone> ACCEPT" policy by its own? 2) The rpm size grew by about 33% from 1.3.10 to 1.4.0. Nothing wrong with that, just wondering what you put in, that uses about 500 kByte. ;) And btw: Believe me, t-online (german internet access provider) really is a war zone, thanks to all those script kiddies and SMB broadcasts from unprotected users... karsten -- Hi, I''m a signature virus. Copy me into your ~/.signature to help me spread!
On 21 Mar 2003, kb wrote:> cheers Tom and folks, > > First of all: Thank you, Tom! :-) Shorewall is a great firewall, I > love it. Just updated the router/firewall for a small home network. > Smoothless, it just works. Keep up your good work. >Thanks, Karsten.> > While updating, I wondererd about some points: > > 1) I have one internet zone and 2 local zones. As I trust the users in > the local zones, I want to allow any traffic. Concerning speed and > simplicity of chains, is it better to have one policy "loc all ACCEPT" > or defining every single "loc <zone> ACCEPT" policy by its own? >I prefer ''loc all ACCEPT''. It creates a single chain where the other way creates individual chains. Note that this isn''t so with rules; there, ''all'' is just a shorthand technique and the number of NetFilter rules generated is the same either way.> 2) The rpm size grew by about 33% from 1.3.10 to 1.4.0. Nothing wrong > with that, just wondering what you put in, that uses about 500 kByte. ;) >More documentation. As I''ve said before, I spend much more time on documentation than I do on the code... -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ teastep@shorewall.net
cheers,> > 1) I have one internet zone and 2 local zones. As I trust the users in > > the local zones, I want to allow any traffic. Concerning speed and > > simplicity of chains, is it better to have one policy "loc all ACCEPT" > > or defining every single "loc <zone> ACCEPT" policy by its own? > > I prefer ''loc all ACCEPT''. It creates a single chain where the other way > creates individual chains. Note that this isn''t so with rules; there, > ''all'' is just a shorthand technique and the number of NetFilter rules > generated is the same either way.Thanks -- thats how I did it this time. The single rules are error-prone: I simply forgot about the "loc loc2 ACCEPT" policy and vice versa. And it gets really unreadable...> > 2) The rpm size grew by about 33% from 1.3.10 to 1.4.0. Nothing wrong > > with that, just wondering what you put in, that uses about 500 kByte. ;) > > More documentation. As I''ve said before, I spend much more time on > documentation than I do on the code...Wow, that''s a lot of documentation. :-) And it gives me a guilty conscience... I still want to contribute to the documentation. karsten -- Hi, I''m a signature virus. Copy me into your ~/.signature to help me spread!