Dhcpcd and iptables problems (BLFS 6.1)

Darcy Roberts darcy_ro at msn.com
Wed Feb 7 16:43:03 PST 2007



> -----Original Message-----
> From: lfs-support-bounces at linuxfromscratch.org 
> [mailto:lfs-support-bounces at linuxfromscratch.org] On Behalf 
> Of Ken Moffat
> Sent: Wednesday, February 07, 2007 7:17 PM
> To: LFS Support List
> Subject: Re: Dhcpcd and iptables problems (BLFS 6.1)
> 
> 
> On Wed, Feb 07, 2007 at 06:35:52PM -0500, Darcy Roberts wrote:
> > I've solved the running twice issues, thanks.
> > 
> > I'm kinda dense about the kernel support. I think I've 
> turned on the 
> > correct options, but there quite a few sub-options. Iptables still 
> > complains loudly. I'm reluctant to turn everything on.
> > 
> > Which items/subitems in
> > 
> > Networking ⇒ Networking Options ⇒ Network Packet Filtering ⇒ Core 
> > Netfilter Configuration (and) IP: Netfilter Configuration
> > 
> > Are actually required to be ON ?
> > 
> 
>  None of them.  I don't use iptables on any of my desktops ;) 
>  You see, that is the wrong question : any function in *your* iptables
> *rules* needs to have the applicable code selected.
> 
>  For my own (limited) rules on my firewall I have iptables 
> all as modules, and I modprobe filter, nat, nat_ftp, 
> MASQUERADE, conntrack, state, LOG, conntrack_ftp, REJECT.  
> That box is still running a 2.4 kernel, possibly the module 
> names have changed in 2.6.  Certainly, I don't take advantage 
> of recent additions to netfilter, and I'm not advertising 
> public services.  I can get out for http and ftp, from any of 
> my machines behind the firewall.  I don't do VOIP or torrent, 
> maybe those need other options.
> 
>  I think you need to work out what you expect the rules to do 
> (let you out, obviously, but are any other machines using 
> this box as a gateway, and what sort of restrictions do you 
> want to apply to incoming).  In my case incoming unrelated 
> are mostly logged and dropped, it's probably only when you 
> need to throttle incoming connections that you need more.  
> Read the help for each of the options, decide what you are 
> going to use, write the rules, then test it to see if it works.
> 
> 
> > Regards,
> > Darcy Roberts
> > 
>  And [ pause for theme-music ] Please don't top post.  Thank you.
> 
> ĸen
> -- 
> das eine Mal als Tragödie, das andere Mal als Farce
> -- 
> http://linuxfromscratch.org/mailman/listinfo/lfs-support
> FAQ: http://www.linuxfromscratch.org/lfs/faq.html
> Unsubscribe: See the above information page
> 

Sorry about the top posting. I can't find the option in Outlook that forces me to use bottom posting.

I've turned on the appropriate modules in the kernel and all appears correct now. One issue is that the style of the options - everyone shows "CONFIG_IP_NF_IPTABLES=y" but this isn't the same text as when using menuconfig. I ended up manually editting .config (bad idea, since ugly dependencies for options now show up).

Anyway, it looks as if I'm going forward. I'm trying to build a small box that only runs a graphical browser and a small web server. Monkey looks like my choice for the server, and maybe links (or probably dillo) for the browser.

The LFS and BLFS process allows me to understand what all the stuff on the box is for...

BTW, how do I limit the size of the kern and sys logs? 

Regards,
Darcy Roberts




More information about the lfs-support mailing list