help with firewall rules .. ipfilter<-->iptables

[playahater]

I have Efficient Networks 5861 DSL Router with, as far as i know, IP Filter. I say "as far as i know" cuz i have read the iptables and ipfilter howto`s and the syntax doesn`t match to neither of them. I`m trying to configure only the firewall on that router and protect 3 computers in lan connected to it .. i have gentoo on all machines in lan and my plan is not to setup any fw on them since the router has ipfilter.
I want as little as possible trafick in and out. Beside standard/basic ports, I need P2P, chat, ssh, nfs, samba, but nfs and samba only in lan.
I found a little fw script which ipfilter uses as default one and i have changed it to suite my needs.
Now .. i`m not sure if I did it right, so PLEASE, if anyone knows how to setup this or has any idea help .. cuz this editing is pure logic ..
if there is any "faster"/"better" way for this script to function .. please share ..

[playahater]

no idea .. thought .. advice ??
_________________
http://droopia.net

[srm]

DISREGARD:

[playahater]

well .. the problem is that i`m still a heavy newbie concerning iptable/ipfilter configuration ..

[xante]

For anyone using iptables, Id suggest shoreline firewall or shorewall for short, it takes some time to get used to, but the options it provides are very useful.

[playahater]

[srm]

to get a general understanding of how iptables work, and so you might derive commands used by your router-language
check

http://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO.html

Translations available.

[playahater]

[srm]

sry bout the session

http://kb.efficient.com


what about this one?

remote ipfilter append input accept -p tcp internet
remote ipfilter append output accept -p tcp internet

that will make your following tcp rules obsolete i think
???
_________________
I'm no longer angry,for having to truncate my sig because it got to long with the following reminder:
Please check unanswered posts
co chaoid sounds

[playahater]

[pteppic]

I've noticed that iptables ( I assume that is what these scripts link to eventually) can have problems with drop as the default policy, set it to accept all and put a drop all rule after all the accept rules.

[srm]

I would never advice to set ACCEPT as default rule!!!!

After checking the man, i would suggest the following:

FLUSH
create Accept rules
DROP ALL (all protos)

I believe, thats also better than

FLUSH
DROP ALL
ALLOW SPECIFIC
DROP ALL
(how comes that there are still packets to be processed by allow when there is a DROP ALL in the beginning? as you could see, that makes no sense and will block your connection completely)

[playahater]

Well .. first of all .. 10x to all of you ..
I have been trying to setup this thing and in the end i got to two solutions:

1.
FLUSH
create Accept rules
DROP ALL (all protos)

srm has suggested this .. but .. i tried this solution and it is great .. but some things doesn`t work and that`s not so big problem .. i`ll fill the holles in the run .. and that`s the best solution ..

in the mean time i`ll use the second solution

2.
FLUSH
create Accept rules
Accept all outgoing
DROP ALL (all protos)

that way .. my ports are not opened for someone behind the router, but i can use whatever I want ( example why irc worked ) ..

as i said .. i will finish the first solution and make it default cuz that`s just the best solution ..

here`s current script