Re: [tlug] Is having no "iptables" bad?

["Stephen J. Turnbull" <stephen@example.com>]

>>>>> "Dave" == Dave M G <Dave> writes:

    Dave> "It's a waste of your time" certainly seemed contrary.

:-)  I thought he was referring to the implicit "starting from where I
am now."  I don't take a position on that, because I don't know where
you are now.  He later clarifies that he thinks you mean to start from
scratch.  That would be a waste of time, you'd lose all the work
you've done so far.

    Dave> What I've found in xconfig is:
    Dave> Networking | Network packet filtering (replaces ipchains) | Core 
    Dave> Netfilter Configuration | Netfilter Xtables support (required for ip_tables)

    Dave> Under that branch, is a whole list of options, such as:

Erm.  Apparently I've not configured a 2.6.17 kernel yet, because I
haven't a clue about the details here, specifically what all the
options under Xtables are.  But I'll take a hack anyway :-)

    Dave> ... and so on. All told there are 23 options. Do I need them
    Dave> all?

You don't need anything to do with IPv6, DCCP, or SCTP.  These are
experimental protocols that are not much, if at all, used on the
Internet yet, and I doubt they will be in the life of this kernel.

Everything else, I would enable.  Ditto, the sibling of Xtables called
"Layer 3 connection tracking" and everything under it that's not
experimental.  You definitely need "IP: Netfilter configuration".
Under it, you need iptables and all its suboptions.  You probably want
connection tracking; enable the two nonexperimental options at the top
and the FTP protocol at least, maybe IRC if you use that.  The other
protocols you can omit.  You don't need ARP tables.

Why enable so much?  Because you're not going to know whether you need
it.  Instead, firestarter is going to manage that stuff for you.  As
firestarter gets smarter, you may as well have the modules in place so
you can take advantage of it.  (And there's a possibility that
firestarter will only offer the options that you have modules for.)

    Dave> I tried selecting them all, and to compile them as modules,
    Dave> I ran "sudo make modules modules_install". But it returned
    Dave> an error:

    Dave> make: *** No rule to make target `modules'.  Stop.

This is a different problem.  Make sure you're in the right source
directory.  Make sure there's a file called Makefile.

That should get you pretty close.  You might also want to wait on
further advice on exactly which netfilter modules you need.

-- 
School of Systems and Information Engineering http://turnbull.sk.tsukuba.ac.jp
University of Tsukuba                    Tennodai 1-1-1 Tsukuba 305-8573 JAPAN
               Ask not how you can "do" free software business;
              ask what your business can "do for" free software.