Linux Online - Linux IPCHAINS-HOWTO: Appendix: Differences between ipchains and ipfwadm.
Linux IPCHAINS-HOWTO: Appendix: Differences between
ipchains and ipfwadm.Next
Previous
Contents
8. Appendix: Differences between
ipchains and ipfwadm.
Some of these changes are a result of kernel changes, and some a result
of ipchains being different from ipfwadm.
Many arguments have been remapped: capitals now indicates a command,
and lower case now indicates an option.
Arbitrary chains are supported, so even built-in chains have full
names instead of flags (eg. `input' instead of `-I').
The `-k' option has vanished: use `! -y'.
The `-b' option actually inserts/appends/deletes two rules, rather
than a single `bidirectional' rule.
The `-b' option can be passed to `-C' to do two checks (one in each
direction).
The `-x' option to `-l' has been replaced by `-v'.
Multiple source and destination ports are not supported anymore.
Hopefully being able to negate the port range will somewhat make up for
that.
Interfaces can only be specified by name (not address). The old
semantics got silently changed in the 2.1 kernel series anyway.
Fragments are examined, not automatically allowed through.
Explicit accounting chains have been done away with.
Arbitrary protocols over IP can be tested for.
The old behavior of SYN and ACK matching (which was previously
ignored for non-TCP packets) has changed; the SYN option is not valid
for non-TCP-specific rules.
Counters are now 64-bit on 32-bit machines, not 32-bit.
Inverse options are now supported.
ICMP codes are now supported.
Wildcard interfaces are now supported.
TOS manipulations are now sanity-checked: the old kernel code would
silently stop you from (illegally) manipulating the `Must Be Zero' TOS
bit; ipchains now returns an error if you try, as well as for other
illegal cases.
8.1 Quick-Reference table.
[ Mainly, command arguments are UPPER CASE, and option arguments are
lower case ]
One thing to note, masquerading is specified by `-j MASQ'; it is
completely different from `-j ACCEPT', and not treated as merely a
side-effect, unlike ipfwadm does.
================================================================
| ipfwadm | ipchains | Notes
----------------------------------------------------------------
| -A [both] | -N acct | Create an `acct' chain
| |& -I 1 input -j acct | and have output and input
| |& -I 1 output -j acct | packets traverse it.
| |& acct |
----------------------------------------------------------------
| -A in | input | A rule with no target
----------------------------------------------------------------
| -A out | output | A rule with no target
----------------------------------------------------------------
| -F | forward | Use this as [chain].
----------------------------------------------------------------
| -I | input | Use this as [chain].
----------------------------------------------------------------
| -O | output | Use this as [chain].
----------------------------------------------------------------
| -M -l | -M -L |
----------------------------------------------------------------
| -M -s | -M -S |
----------------------------------------------------------------
| -a policy | -A [chain] -j POLICY | (but see -r and -m).
----------------------------------------------------------------
| -d policy | -D [chain] -j POLICY | (but see -r and -m).
----------------------------------------------------------------
| -i policy | -I 1 [chain] -j POLICY| (but see -r and -m).
----------------------------------------------------------------
| -l | -L |
----------------------------------------------------------------
| -z | -Z |
----------------------------------------------------------------
| -f | -F |
----------------------------------------------------------------
| -p | -P |
----------------------------------------------------------------
| -c | -C |
----------------------------------------------------------------
| -P | -p |
----------------------------------------------------------------
| -S | -s | Only takes one port or
| | | range, not multiples.
----------------------------------------------------------------
| -D | -d | Only takes one port or
| | | range, not multiples.
----------------------------------------------------------------
| -V | <none> | Use -i [name].
----------------------------------------------------------------
| -W | -i |
----------------------------------------------------------------
| -b | -b | Now actually makes 2 rules.
----------------------------------------------------------------
| -e | -v |
----------------------------------------------------------------
| -k | ! -y | Doesn't work unless
| | | -p tcp also specified.
----------------------------------------------------------------
| -m | -j MASQ |
----------------------------------------------------------------
| -n | -n |
----------------------------------------------------------------
| -o | -l |
----------------------------------------------------------------
| -r [redirpt] | -j REDIRECT [redirpt] |
----------------------------------------------------------------
| -t | -t |
----------------------------------------------------------------
| -v | -v |
----------------------------------------------------------------
| -x | -x |
----------------------------------------------------------------
| -y | -y | Doesn't work unless
| | | -p tcp also specified.
----------------------------------------------------------------
8.2 Examples of translated ipfwadm commands
Old command: ipfwadm -F -p deny
New command: ipchains -P forward DENY
Old command: ipfwadm -F -a m -S 192.168.0.0/24 -D 0.0.0.0/0
New command: ipchains -A forward -j MASQ -s 192.168.0.0/24 -d 0.0.0.0/0
Old command: ipfwadm -I -a accept -V 10.1.2.1 -S 10.0.0.0/8 -D
0.0.0.0/0
New command: ipchains -A input -j ACCEPT -i eth0 -s 10.0.0.0/8 -d
0.0.0.0/0
(Note that there is no equivalent for specifying interfaces by address:
use the interface name. On this machine, 10.1.2.1 corresponds to eth0).
Next
Previous
Contents
URLWatch: For
notice when this page changes, fill in your email address.
Maintained by: Webmaster, Linux Online Inc.Last
modified: 05-Jul-2000 12:52PM.Views since 16-Aug-2000: 794.
Material copyright Linux
Documentation Project.Design and compilation copyright ©1994-2000
Linux Online
Inc.URLWatch provided by URLWatch Services.Internet services provided by AiNET.All rights
reserved.
Wyszukiwarka
Podobne podstrony:
Linux IPCHAINS HOWTO Appendix Differences between ipchains and ipfwadmGenomic differences between C glabrata and S cerevisieaukessays com Differences Between Polish And British Pronunciation English Language EssayWhat is the Difference Between Meditation and NegotiationLinux Online Linux IPCHAINS HOWTO Appendix Using the ipfwadm wrapper scriptLinux Online Linux IPCHAINS HOWTO Appendix ThanksLinux Online Linux IPCHAINS HOWTO Packet Filtering BasicsLinux IPCHAINS HOWTO Appendix Using the ipfwadm wrapper scriptLinux Online Linux IPCHAINS HOWTO IP Firewalling ChainsLinux Online Linux IPCHAINS HOWTO IntroductionLinux Online Firewall and Proxy Server HOWTO APPENDEX A Example ScriptsLinux Online Linux IPCHAINS HOWTOLinux Online Linux IPCHAINS HOWTO Common ProblemsLinux Online Firewall and Proxy Server HOWTO APPENDEX B An VPN RC Script for RedHatLinux Online Linux IPCHAINS HOWTO I m confused! Routing, masquerading, portforwarding, ipautofwLinux IPCHAINS HOWTO Appendix ThanksLinux IPCHAINS HOWTO I m confused! Routing, masquerading, portforwarding, ipautofwLinux IPCHAINS HOWTO Miscellaneouswięcej podobnych podstron