[Tfug] ip_tables kernel code no longer possible to build into the kernel?
Robert Hunter
hunter at tfug.org
Wed May 24 01:23:33 MST 2006
> what i need is normal, basic, usual iptables capabilities. like
> blocking ports and port ranges and limiting and logging,
>
A good place to start is http://www.netfilter.org/documentation/index.html
> so is this module (or rather all these tiny little iptables-related
> modules):
>
> 1. something that looks EXACTLY like it's what i need but is not?
> i.e. it is for some advanced thing?
>
> or:
>
> 2. just what i need?
Pay attention to the stuff that with descriptions like "This is required
for such and such feature". Yeah, I know, it can be overwhelming
sometimes. That's why it's a good idea to start with a kernel
configuration from your favorite distribution and tweak it until you're
happy. Sure you'll make a few mistakes, but there are a few things you
can do to minimize the pain.
1) Use something like debian's kernel-package to automate the
build/install process of your custom kernel+modules.
2) In case something goes wrong, keep an older working kernel around,
preferably one that you can select from your bootloader menu.
3) Compiling kernel modules that your system will not use only costs you a
little compile time and disk space. If you are unsure about whether
something is necessary then it doesn't hurt to build it as a module. The
only caveat, as I mentioned before, is if said thing is necessary for your
system to boot up properly (i.e. driver for a disk-controller, root
file-system, etc. ).
>
> i pulled your trick on XTABLES and it still looks like what i need.
> so why would it not default to yes?
>
> i kind of found out via make menuconfig just before you posted that it
> might have something to do with a higher level setting being a module.
> it looks like that might be the reason.
>
> as for using a module, i can, but there were dozens and i didn't want
> to have to keep track of them just to do basic things. why would i
> have to reenable iptables, then set modules for every tiny little part
> of it, like port ranges and limiting and the like? i'd think it would
> be mostly on by default.
>
I don't know... because it builds character? ;-)
--
Rob
More information about the tfug
mailing list