Re: [suse-security] diffence between portfw and mfw
Togan Muftuoglu wrote:
Hi
What are the main differences between portfw and mfw in ipmasqadm. For example Marc prefers mfw in the SuSEfirewall script but on the other hand I have seen scripts were portfw is used only. The only thing I saw was im portfw you need the specify the protoc also tcp / udp.
Sorry until my book arrives there will be more questions coming. Ah yes when it arrives expect more to come :-)
Have a nice Sunday
-- Togan Muftuoglu
I find the packet marking stuff very useful for simplifying things. e.g. if we want 3 clients to see different webservers, then all we have to do is use the one address for any client and add the following rules; ipchains -I $INPUTCHAIN -p tcp -y -s $CLIENTA --dport 80 -m 1 ipchains -I $INPUTCHAIN -p tcp -y -s $CLIENTB --dport 80 -m 2 ipchains -I $INPUTCHAIN -p tcp -y -s $CLIENTC --dport 80 -m 3 ipmasqadm mfw -I -m 1 -r $WEBSERVER1 80 ipmasqadm mfw -I -m 2 -r $WEBSERVER2 80 ipmasqadm mfw -I -m 3 -r $WEBSERVER2 8080 This doesn't provide much security in itself though... ...you still really need password protection etc. It just makes it easier for the clients to find what they're looking for quickly. William
e.g. if we want 3 clients to see different webservers, then all we have to do is use the one address for any client and add the following rules;
ipchains -I $INPUTCHAIN -p tcp -y -s $CLIENTA --dport 80 -m 1 ipchains -I $INPUTCHAIN -p tcp -y -s $CLIENTB --dport 80 -m 2 ipchains -I $INPUTCHAIN -p tcp -y -s $CLIENTC --dport 80 -m 3 ipmasqadm mfw -I -m 1 -r $WEBSERVER1 80 ipmasqadm mfw -I -m 2 -r $WEBSERVER2 80 ipmasqadm mfw -I -m 3 -r $WEBSERVER2 8080
Now that's rather creative! I had problems once with access to a web server from particular ISPs, due to the downstream links tending to become very congested. Now I think with this idea, it would be possible to use this to 'bind' clients to a web server address that has the best connectivity to their network. The main servers hosted at Telehouse (the main UK access point), could use this idea to redirect the initial connection onto a IP alias in the backend net, where the Apache virtual host, directs the traffic onto a server connected directly within their AS. I'm not sure how manageble it would be in practice for a consumer rather than B2B subscription based site, there are rather a lot of routes these days, so I'd hoped to solve the problem using a module in Apache to time 'benchmark' downloads to allow some dynamic tuning, remembering which servers gave best response in past. Rob
* Robert Davies
Now that's rather creative! I had problems once with access to a web server from particular ISPs, due to the downstream links tending to become very congested. Now I think with this idea, it would be possible to use this to 'bind' clients to a web server address that has the best connectivity to
But wouldn't that also need proper routing so the returning traffic goes with the best upstream link. -- Togan Muftuoglu
participants (3)
-
Robert Davies
-
Togan Muftuoglu
-
William Preston