> I have no idea what you are talking about. Shorewall files are aligned > on normal 8-column tab stops (with the exception of the rules file which > is getting a little crowded). And Shorewall only requires that there be > SOME whitespace between the columns; there has never been (nor will > there ever be) a requirement that entries appear in a particular column.I just say that write: #ACTION SOURCE DESTINATION PROTOCOL DEST_PORT SOURCE_PORT more convenient than: #ACTION SOURCE DESTINATION PROTOCOL DEST PORT SOURCE PORT> > > > 4. And yet one thing. I belief that Shorewall only will be yet better if > > you realize check for double records when adding new rule by > > Shorewall and then any users can use iptables with maximum efficiency > > and convenience (without use different style DNAT, DNAT-, REDIRECT, > > REDIRECT- and may be in other cases). > >> Again, I don''t understand what you are asking. SorryI propose do check for new added rule if there is same rule in tables or not with DNAT, REDIRECT instructions and exclude DNAT-, REDIRECT- instructions and generate ACCEPT rule with rate limits of DNAT. For what purposes they may be different?> > Chain webin (2 references) > > pkts bytes target prot opt in out source destination > > 5232 429K web all -- * * 0.0.0.0/0 0.0.0.0/0 > > ..." > > but why prot=all but not prot=tcp and where is indicate that SOURCE=eth0, > > DESTINATION=eth1, DEST_PORT=80,443?> To see that you have to look at how packets GET to this chain.I think it must look like: Chain webin (2 references) pkts bytes target prot opt in out source destination 5232 429K web tcp -- 5232 0 eth0:0.0.0.0/0 eth1:0.0.0.0/0:80,443 Aleks
On Thu, 2003-08-14 at 08:00, alshu@tut.by wrote:> > I have no idea what you are talking about. Shorewall files are aligned > > on normal 8-column tab stops (with the exception of the rules file which > > is getting a little crowded). And Shorewall only requires that there be > > SOME whitespace between the columns; there has never been (nor will > > there ever be) a requirement that entries appear in a particular column. > > I just say that write: > #ACTION SOURCE DESTINATION PROTOCOL DEST_PORT SOURCE_PORT > more convenient than: > #ACTION SOURCE DESTINATION PROTOCOL DEST PORT SOURCE PORT >> > > > > > 4. And yet one thing. I belief that Shorewall only will be yet better if > > > you realize check for double records when adding new rule by > > > Shorewall and then any users can use iptables with maximum efficiency > > > and convenience (without use different style DNAT, DNAT-, REDIRECT, > > > REDIRECT- and may be in other cases). > > > > > > Again, I don''t understand what you are asking. Sorry > > I propose do check for new added rule if there is same rule in > tables or not with DNAT, REDIRECT instructions and exclude DNAT-, REDIRECT- > instructions and generate ACCEPT rule with rate limits of DNAT. For what > purposes they may be different?No -- people think that "shorewall [re]start" is too slow already without trying to do that.> > > > Chain webin (2 references) > > > pkts bytes target prot opt in out source destination > > > 5232 429K web all -- * * 0.0.0.0/0 0.0.0.0/0 > > > ..." > > > but why prot=all but not prot=tcp and where is indicate that SOURCE=eth0, > > > DESTINATION=eth1, DEST_PORT=80,443? > > > To see that you have to look at how packets GET to this chain. > > I think it must look like: > > Chain webin (2 references) > pkts bytes target prot opt in out source destination > 5232 429K web tcp -- 5232 0 eth0:0.0.0.0/0 eth1:0.0.0.0/0:80,443No. In the accounting chain, is: 38607 3228K webin tcp -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Thu, 2003-08-14 at 08:00, alshu@tut.by wrote:> > I have no idea what you are talking about. Shorewall files are aligned > > on normal 8-column tab stops (with the exception of the rules file which > > is getting a little crowded). And Shorewall only requires that there be > > SOME whitespace between the columns; there has never been (nor will > > there ever be) a requirement that entries appear in a particular column. > > I just say that write: > #ACTION SOURCE DESTINATION PROTOCOL DEST_PORT SOURCE_PORT > more convenient than: > #ACTION SOURCE DESTINATION PROTOCOL DEST PORT SOURCE PORTI can see no possible reason. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Thu, 2003-08-14 at 08:11, Tom Eastep wrote:> On Thu, 2003-08-14 at 08:00, alshu@tut.by wrote: > > > I have no idea what you are talking about. Shorewall files are aligned > > > on normal 8-column tab stops (with the exception of the rules file which > > > is getting a little crowded). And Shorewall only requires that there be > > > SOME whitespace between the columns; there has never been (nor will > > > there ever be) a requirement that entries appear in a particular column. > > > > I just say that write: > > #ACTION SOURCE DESTINATION PROTOCOL DEST_PORT SOURCE_PORT > > more convenient than: > > #ACTION SOURCE DESTINATION PROTOCOL DEST PORT SOURCE PORT > > I can see no possible reason. >Is this any better? #ACTION SOURCE DESTINATION PROTOCOL DEST SOURCE # PORT PORT -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Thu, 2003-08-14 at 08:06, Tom Eastep wrote:> > I think it must look like: > > > > Chain webin (2 references) > > pkts bytes target prot opt in out source destination > > 5232 429K web tcp -- 5232 0 eth0:0.0.0.0/0 eth1:0.0.0.0/0:80,443 > > No. In the accounting chain, is: > > 38607 3228K webin tcp -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 >And of course there is also: 0 0 webin tcp -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
At 8/14/2003 08:11 -0700, Tom Eastep wrote:>On Thu, 2003-08-14 at 08:00, alshu@tut.by wrote: > > > I have no idea what you are talking about. Shorewall files are aligned > > > on normal 8-column tab stops (with the exception of the rules file which > > > is getting a little crowded). And Shorewall only requires that there be > > > SOME whitespace between the columns; there has never been (nor will > > > there ever be) a requirement that entries appear in a particular column. > > > > I just say that write: > > #ACTION SOURCE DESTINATION PROTOCOL DEST_PORT > SOURCE_PORT > > more convenient than: > > #ACTION SOURCE DESTINATION PROTOCOL DEST > PORT SOURCE PORT > >I can see no possible reason.Tom, I think he''s one of the people (I''ve met quite a few) who find the underscores visually confusing and prefer to have words separated by spaces. Alshu, the primary reason why it would be a Very Bad Idea [tm] to separate "DEST_PORT" into "DEST PORT" is because it then looks (to everybody else) like two column names and will cause lots and lots of confusion. Tom is right, there is no valid reason to separate those words and good reasons to keep them together. -- Rodolfo J. Paiz rpaiz@simpaticus.com
On Thu, 2003-08-14 at 09:36, Rodolfo J. Paiz wrote:> > > >I can see no possible reason. > > Tom, I think he''s one of the people (I''ve met quite a few) who find the > underscores visually confusing and prefer to have words separated by spaces. > > Alshu, the primary reason why it would be a Very Bad Idea [tm] to separate > "DEST_PORT" into "DEST PORT" is because it then looks (to everybody else) > like two column names and will cause lots and lots of confusion. Tom is > right, there is no valid reason to separate those words and good reasons to > keep them together.Rudolpho, Aleks is advocating the "_" -- the current files use spaces. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net