iptables frontend
jdow
jdow at earthlink.net
Sun Dec 21 21:42:00 UTC 2003
From: "Michael Schwendt" <ms-nospam-0306 at arcor.de>
> On Sun, 21 Dec 2003 03:09:27 -0800, jdow wrote:
>
> > {^_-} <- Uses a fully organically grown firewall. (And REALLY wishes
> > iptables log reports were graceful enough to include a notation
> > denoting WHICH rule was triggered into logging a report.)
>
> You have the freedom to enhance you LOG rules with such info,
> e.g. using --log-prefix "foo".
This is true - at the cost of doubling the number of rules for every
rule that gets logged. A simple "-j drip-and-log-it" rule that logs
then drops a packet cannot have a per rule "--log-prefix". So I have
to clutter the rule sets with double the number of rules for those I
log. Pooey on that. NetFilter IPTables were mal-designed in this regard.
It is another of those things that is infuriatingly good. That is to say
it is nearly perfect with a major glaring huge flaw.
{^_^}
More information about the fedora-list
mailing list