85 lines
3.4 KiB
HTML
85 lines
3.4 KiB
HTML
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
|
||
|
<HTML>
|
||
|
<HEAD>
|
||
|
<META NAME="GENERATOR" CONTENT="SGML-Tools 1.0.9">
|
||
|
<TITLE>Linux IPCHAINS-HOWTO: Introduction</TITLE>
|
||
|
<LINK HREF="IPCHAINS-HOWTO-2.html" REL=next>
|
||
|
|
||
|
<LINK HREF="IPCHAINS-HOWTO.html#toc1" REL=contents>
|
||
|
</HEAD>
|
||
|
<BODY>
|
||
|
<A HREF="IPCHAINS-HOWTO-2.html">Next</A>
|
||
|
Previous
|
||
|
<A HREF="IPCHAINS-HOWTO.html#toc1">Contents</A>
|
||
|
<HR>
|
||
|
<H2><A NAME="intro"></A> <A NAME="s1">1. Introduction</A></H2>
|
||
|
|
||
|
<P>This is the Linux IPCHAINS-HOWTO; see
|
||
|
<A HREF="#intro-where">Where?</A>
|
||
|
for the master site, which contains the latest copy. You should read
|
||
|
the Linux NET-3-HOWTO as well. The IP-Masquerading HOWTO, the
|
||
|
PPP-HOWTO, the Ethernet-HOWTO and the Firewall HOWTO might make
|
||
|
interesting reading. (Then again, so might the alt.fan.bigfoot FAQ).
|
||
|
<P>
|
||
|
<P>If packet filtering is passe to you, read Section
|
||
|
<A HREF="#intro-why">Why?</A>, Section
|
||
|
<A HREF="IPCHAINS-HOWTO-2.html#basics-how">How?</A>, and
|
||
|
scan through the titles in Section
|
||
|
<A HREF="IPCHAINS-HOWTO-4.html#core">IP Firewalling Chains</A>.
|
||
|
<P>
|
||
|
<P>If you are converting from <CODE>ipfwadm</CODE>, read Section
|
||
|
<A HREF="#intro">Introduction</A>, Section
|
||
|
<A HREF="IPCHAINS-HOWTO-2.html#basics-how">How?</A>, and
|
||
|
Appendices in section
|
||
|
<A HREF="IPCHAINS-HOWTO-8.html#ipfwadm-diff">Differences between ipchains and ipfwadm</A> and section
|
||
|
<A HREF="IPCHAINS-HOWTO-9.html#upgrade">Using the `ipfwadm-wrapper' script</A>.
|
||
|
<P>
|
||
|
<H2><A NAME="ss1.1">1.1 What?</A>
|
||
|
</H2>
|
||
|
|
||
|
<P>Linux <CODE>ipchains</CODE> is a rewrite of the Linux IPv4 firewalling code
|
||
|
(which was mainly stolen from BSD) and a rewrite of <CODE>ipfwadm</CODE>,
|
||
|
which was a rewrite of BSD's <CODE>ipfw</CODE>, I believe. It is required to
|
||
|
administer the IP packet filters in Linux kernel versions 2.1.102 and
|
||
|
above.
|
||
|
<P>
|
||
|
<H2><A NAME="intro-why"></A> <A NAME="ss1.2">1.2 Why?</A>
|
||
|
</H2>
|
||
|
|
||
|
<P>The older Linux firewalling code doesn't deal with fragments, has
|
||
|
32-bit counters (on Intel at least), doesn't allow specification of
|
||
|
protocols other than TCP, UDP or ICMP, can't make large changes
|
||
|
atomically, can't specify inverse rules, has some quirks, and can be
|
||
|
tough to manage (making it prone to user error).
|
||
|
<P>
|
||
|
<H2><A NAME="ss1.3">1.3 How?</A>
|
||
|
</H2>
|
||
|
|
||
|
<P>Currently the code is in the mainstream kernel from 2.1.102. For the
|
||
|
2.0 kernel series, you will need to download a kernel patch from the
|
||
|
web page. If your 2.0 kernel is more recent than the supplied patch,
|
||
|
the older patch should be OK; this part of the 2.0 kernels is fairly
|
||
|
stable (eg. the 2.0.34 kernel patch works just fine on the 2.0.35
|
||
|
kernel). Since the 2.0 patch is incompatible with the ipportfw and
|
||
|
ipautofw patches, I don't recommend applying it unless you really need
|
||
|
some functionality that ipchains offers.
|
||
|
<P>
|
||
|
<H2><A NAME="intro-where"></A> <A NAME="ss1.4">1.4 Where?</A>
|
||
|
</H2>
|
||
|
|
||
|
<P>The official page is in three places:
|
||
|
<A HREF="http://netfilter.filewatcher.org/ipchains">Thanks to Penguin Computing</A>
|
||
|
<A HREF="http://www.samba.org/netfilter/ipchains">Thanks to the SAMBA Team</A>
|
||
|
<A HREF="http://netfilter.kernelnotes.org/ipchains">Thanks to Jim Pick</A><P>
|
||
|
<P>There is a mailing list for bug reports, discussion, development and
|
||
|
usage. Join the mailing list by sending a message containing the word
|
||
|
``subscribe ipchains-list'' to subscribe at east.balius.com. To mail
|
||
|
to everyone on the list use ipchains-list at east.balius.com.
|
||
|
<P>
|
||
|
<HR>
|
||
|
<A HREF="IPCHAINS-HOWTO-2.html">Next</A>
|
||
|
Previous
|
||
|
<A HREF="IPCHAINS-HOWTO.html#toc1">Contents</A>
|
||
|
</BODY>
|
||
|
</HTML>
|