Firewall
Jeff Raber
jeff.raber at gmail.com
Mon Dec 13 19:13:18 UTC 2010
On 12/09/2010 09:00 PM, Curtis Doty wrote:
> Why must statefull connection tracking be imposed on every Fedora user?
>
> Don't get me wrong. I use netfilter all the time and love it. And it's
> good to install the userland iptables tools and a simple firewall by
> default. But when I'd like to choose Fedora without it (asymmetric
> routing anyone?), I now have to rebuild the kernel. [harumph!]
>
> Was there ever a good reason for making the filter table and conntrack
> modules monolithic? They certainly didn't used to be built in...
>
> ../C
Seems like there should be an easy way to 'opt-out' of connection
tracking. Have you tried anything like 'iptables -t raw -I PREROUTING
-j NOTRACK' ?
The iptables man-page says this about the 'raw' table:
" This table is used mainly for configuring exemptions from connection
tracking in combination with the NOTRACK target. It registers at the
netfilter hooks with higher priority and is thus called before
ip_conntrack, or any other IP tables. It provides the following
built-in chains: PREROUTING (for packets arriving via any network
interface) OUTPUT (for packets generated by local processes) "
Cheers.
-Jeff
More information about the devel
mailing list