[Dshield] I need some quick (IPT) help

John Sage jsage at finchhaven.com
Tue Oct 7 19:29:25 GMT 2003


One very quick point, just to keep the waters clear:

On Tue, Oct 07, 2003 at 02:33:22PM -0400, David Hart wrote:
> Our NetGear RT314 finally gave up the ghost this morning. I quickly
> replaced it with a LynkSys (POS). What a dog rocket.

/* snip */

> Again, assuming that this is a logical approach, am I better off
> with IP Tables or using something like Shorewall?

It's important to understand that Shorewall really *is* iptables:


"The Shoreline Firewall, more commonly known as "Shorewall", is
high-level tool for configuring Netfilter. You describe your
firewall/gateway requirements using entries in a set of configuration
files. Shorewall reads those configuration files and with the help of
the iptables utility, Shorewall configures Netfilter to match your

"The term 'iptables' is often used to refer to the combination of
iptables+Netfilter (with Netfilter not in ipchains compatibility

Your question is really:

"Should I roll iptables from scratch, or should I use a packaged
frontend/admin tool like Shorewall?"

> Should we drop or reject the undesirable packets?

A philosophical question, with the answer "it depends"

REJECT usually means you're sending out some sort of response (ICMP
host or port unreachable, depending) while DROP means the incoming,
offending packet is dropped on the floor (metaphorically speaking) as
if it never existed.

Your choice; one says "We're here, but we won't talk to you" while the
other says nothing.

- John
"You are in a twisty maze of weblogs, all alike."
John Sage: InfoSec Groupie
ABCD, EFGH, IJKL, EmEnOh, Pplus+, Mminus-
ATTENTION: this entire message is privileged communication, intended
for the sole use of its recipients only. If you read it even though
you know you aren't supposed to, you're a poopy-head.

More information about the list mailing list