"iptables sux"

Hi.

Searching the groups with google for "iptables sux" (or
ipfw/suck/sucks in quotes), it finds only few posts of authors that
really think so, almost nothing. Is it really so good that none has
anything bad to say about it? Just interesting, has anyone fell with a
problem when iptables become useless or unconvenient for
routing/mangling/nat/qos purpose? Of course, iptables solves the most
amount of simple needs, but can anyone make an example when not?

--

deita graced us by uttering:
> Searching the groups with google for "iptables sux" (or
> ipfw/suck/sucks in quotes), it finds only few posts of authors
> that really think so, almost nothing. Is it really so good that
> none has anything bad to say about it?

I'd like to say I believe it's because those who have found it
doesn't meet their needs or competency level have better things
to do than troll newsgroups with their bitching.

....but this is Usenet.

Tim Hammerquist
--
ANIME LAW OF INHERENT COMBUSTIBILITY
Everything explodes. Everything.

Jeroen Geilman <(E-Mail Removed)> wrote in
news:3f6b3b67$0$58701$(E-Mail Removed):

> deita wrote:
>
>> Hi.
>>
>> Searching the groups with google for "iptables sux" (or
>> ipfw/suck/sucks in quotes), it finds only few posts of authors that
>> really think so, almost nothing. Is it really so good that none has
>> anything bad to say about it?
>
> A small suggestion:
>
> - mosey your behind over to www.netfilter.org, the official home of
> the Linux Netfilter code.
> - download the source
> - READ the source
> - understand how it works
> - prove this by explaining it - to me (I sure don't know how it works)
>
> THEN we can move on to more philosophical matters...

Not to jump to deita's defense, but if you don't know how it works, who
cares if you can discuss it's merits? A small suggestion: Go away.


Deita,

I've only been using iptables for about six months, so I am by no means
an expert, but I've found it to be very powerful and at the same time
relatively easily configurable. Jeroen, while being something of an ass,
did have one good point.... www.netfilter.org.

Mike

deita wrote:

> Hi.
>
> Searching the groups with google for "iptables sux" (or
> ipfw/suck/sucks in quotes), it finds only few posts of authors that
> really think so, almost nothing. Is it really so good that none has
> anything bad to say about it?

A small suggestion:

- mosey your behind over to www.netfilter.org, the official home of the
Linux Netfilter code.
- download the source
- READ the source
- understand how it works
- prove this by explaining it - to me (I sure don't know how it works)

THEN we can move on to more philosophical matters...

> Just interesting, has anyone fell with a
> problem when iptables become useless or unconvenient for
> routing/mangling/nat/qos purpose? Of course, iptables solves the most
> amount of simple needs, but can anyone make an example when not?

Can you ?

And, more interestingly, would you then conclude that it does, indeed, "sux"
as you so eloquently put it, or would you come up with a brilliant solution
?

I have a better suggestion: why don't YOU posit a routing/filtering
_problem_ and see if it *can't* be solved by using iptables.

I seriously doubt you'll come up with a big enough problem soon...

Yes, it's good - so good, that a single-floppy distro can surpass both the
capabilities and the performance of a Cisco router...


--
Jeroen Geilman

Gentoo 1.4 rc4

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



Michael Smith wrote:
> Jeroen Geilman <(E-Mail Removed)> wrote in
> news:3f6b3b67$0$58701$(E-Mail Removed):
>
>
>>deita wrote:
>>
>>
>>>Hi.
>>>
>>> Searching the groups with google for "iptables sux" (or
>>>ipfw/suck/sucks in quotes), it finds only few posts of authors that
>>>really think so, almost nothing. Is it really so good that none has
>>>anything bad to say about it?
>>
>>A small suggestion:
>>
>>- mosey your behind over to www.netfilter.org, the official home of
>>the Linux Netfilter code.
>>- download the source
>>- READ the source
>>- understand how it works
>>- prove this by explaining it - to me (I sure don't know how it works)
>>
>>THEN we can move on to more philosophical matters...
>
>
> Not to jump to deita's defense, but if you don't know how it works, who
> cares if you can discuss it's merits? A small suggestion: Go away.
>
>
> Deita,
>
> I've only been using iptables for about six months, so I am by no
means
> an expert, but I've found it to be very powerful and at the same time
> relatively easily configurable. Jeroen, while being something of an ass,
> did have one good point.... www.netfilter.org.
>
> Mike

IPtables is so good, that ADC and Terayon has incorporated it in the
Carrier class CMTS (cable modem termintaion systems) which both use linux.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQE/a1d+i6NlI+CoSzsRAkE7AKC0QUMe1VRL9RA+GX31UBmmi7GG3g Cgmg5+
bAjNpf9A/fZRjVN68Scbxtg=
=kmie
-----END PGP SIGNATURE-----

Dans sa prose, deita nous ecrivait :
> Just interesting, has anyone fell with a problem when
> iptables become useless or unconvenient for routing/mangling/nat/qos
> purpose?

mangling :
iptables -t mangle [...]
What else do you need ?

routing :
Routing is not a packet filter's job. However, considering Netfilter mark
can be used as a routing key, iptables can be used to provide powerful
routing schemes, as anything Netfilter can match about a packet can be
used to route it.

nat :
iptables -t nat [...]
What else do you need ?

QoS :
As for routing, QoS is not a packet filter's job. However, Netfilter's
mark can be used as a key for Linux QoS subsystem.

> Of course, iptables solves the most amount of simple needs, but
> can anyone make an example when not?

Netfilter can solve _all_ simple needs, and far more. Just read the docs
and use it.

--
Ta race, zorro de pute tu devrais plutot aller sucer des teubs chez les
grecs au lieu d'écrire nawakos!! rajoute moi donc dans ton robot tueur.
mouhaha, je te crache a la geule et ca te degouline jusqu'auxx baskets!
-+- Nono in <http://neuneu.mine.nu> : Vingt ans de finesse -+-

Michael Smith wrote:


> Not to jump to deita's defense, but if you don't know how it works, who
> cares if you can discuss it's merits?

The OP certainly doesn't know how it works, and he deigns to judge it for
all the rest of the world...a bit arrogant, I feel.

And the OP did not give the impression of wanting to "discuss its merits" -
he gave the distinct impression of wanting to be told - right now! - what
exactly was so damned good about it that he should even consider allowing
it to exist...

If he simply wanted to ask what our experiences are with iptables and
whether we would recommend it over other alternatives, then he might have
done so...his attitude does not convey interest, it suggests belligerence.

> A small suggestion: Go away.

From where ? Your Internet ?

Sorry, not your call.

> Jeroen, while being something of an ass,

How would you know ? Have you *seen* it ?

> did have one good point.... www.netfilter.org.

Yes... quite revealing that the OP has to be told this kind of thing.

Mike, I don't mind a bit if you need to insult me, but you don't need to
protect a smartass with an attitude the size of Alaska, do you ?

What does it suggest to you that he/she/it demands to know whether iptables
is "of any use" / "any good" ?

To me it suggests one thing: an implied superiority that he had better be
able to back up, then...which is what I suggested.

Phew...far too long, auto-plonk

--
Jeroen Geilman

Gentoo 1.4 rc4

I have been using it for quite awhile and have grown very fond of it.


"deita" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) om...
> Hi.
>
> Searching the groups with google for "iptables sux" (or
> ipfw/suck/sucks in quotes), it finds only few posts of authors that
> really think so, almost nothing. Is it really so good that none has
> anything bad to say about it? Just interesting, has anyone fell with a
> problem when iptables become useless or unconvenient for
> routing/mangling/nat/qos purpose? Of course, iptables solves the most
> amount of simple needs, but can anyone make an example when not?
>
> --