Le mar 08/04/2003 à 12:43, Robert P. J. Day a écrit : > > Yes. If you select "IP tables support" but no further options within > > that set, you can still perform filtering. For example, you could still > > ACCEPT or DROP based on source or destination IP. > i don't think so, tim. if you look down that list of options, > past all the "match" options, you'll see "Packet filtering", > whose help screen claims that it defines the "filter" table. You're right. This option defines if you want (or not) filter table. > without that filter table, i would have assumed that you can't > do *any* filtering of any kind, since the filter table wouldn't > even exist. You should not be able to do this. In practice, you still can ACCEPT or DROP in nat and mangle table, but they're not intended to, and this should not be done. > i get the feeling that, if you select only "IP tables support" > and nothing else, you might be able to set up ACCEPT or DROP > policies on the three chains, and that's about it. IP tables support is the support of tables (nat, mangle and filter at the time) for IPv4 protocole. Under this option, you can see all matches that are available for all the tables, then the 3 tables and their specific targets, and at the end of section, targets that are usable within all tables (well, it should be the case, but it's not, as TTL target is only valid for mangle table, as an exemple). Without table support, you can't do anything as nothing will be attached to Netfilter's hooks, except conntack is selected. This how I understand things, may be wrong... -- Cédric Blancher <blancher@xxxxxxxxxxxxxxxxxx> Consultant en sécurité des systèmes et réseaux - Cartel Sécurité Tél: +33 (0)1 44 06 97 87 - Fax: +33 (0)1 44 06 97 99 PGP KeyID:157E98EE FingerPrint:FA62226DA9E72FA8AECAA240008B480E157E98EE
