On Nov 18 2007 03:19, Patrick McHardy wrote:
>>
>> SUSE:
>>
>> DNAT LOG MARK MASQUERADE REDIRECT REJECT TCPMSS esp
>> icmp icmpv6 limit pkttype policy
>> state tcp udp
>
> Thanks. Any RH/Fedora users?
>
>> But - surprise, surprise - it allows to load a file of custom rules,
>> so that basically means {ipt,ip6t,xt}_*, aka allmodconfig, like I said!
>> :)
>
> Well, the point of the avanced option is to handle *advanced*
> cases, so we don't need to cover manual adjustments (including
> things like shorewall which are usually installed manually).
Well even in "manual installations", I prefer to compile one kernel for all
hosts of the same arch I am ever going to work with, because it takes its time,
and time is precious when the number of hosts grows towards +Infinity.
> The
> default cases for people not having touched their *firewall*
> configuration is enough. I wasn't able to find the SuSE-script,
Unpack
http://download.opensuse.org/distribution/SL-OSS-factory/inst-source/suse/src/SuSEfirewall2-3.6_SVNr183-15.src.rpm
look into sbin/SuSEfirewall2.
> but from a screenshot I could see that they do optionally handle
> IPsec. So what I'm saying is that we should include f.i. the policy
> match,
...which I listed above...
> and all other modules needed without manually attending
> to the firewall, but nothing more.
>
> IOW, its for people like Linus, presumably not touching their
> default configuration, but unwilling to go through the 50+
> options to decide themselves.
>
> For people who want to compile-test them all (like me), we
> still can have a CONFIG_NETFILTER_ALL option hidden under
> CONFIG_NETFILTER_ADVANCED for simplicity, but that is a
> different topic.
>
For compile-testing, allmodconfig is sufficient IMO.
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
