IPChains SPF (was Re: COmpare Firewalls)

["Ryan Russell" <Ryan.Russell () sybase com>]

At least a couple of people have mailed me to correct my claim about
IP Chains being a Stateful Packet Filter (as opposed to a non-stateful
packet filter.)

IP Chains by itself, out of the box is not stateful.  It makes all decisions
based
on the current packet.  It even needs the kernel to defrag for it, though it can
make some simple decisions about fragments.

If you include IP Masquerade as a companion to IP Chains, that DOES add
stateful capabilites, but only for the NAT portion.

For folks who are interest in real stateful capabilites in IP Chains, check
out this section of the HOWTO:

http://www.rustcorp.com/linux/ipchains/HOWTO-5.html#ss5.8

Here's an excerpt:

"There is a userspace library I have written which is included with the source
distribution called `libfw'. It uses the ability of IP Chains 1.3 and above to
copy a packet
to userspace (using the IP_FIREWALL_NETLINK config option).

The mark value can be used to specify the Quality of Service parameters for
packets, or to specify how packets should be port-forwarded. I've never used
either,
but if you want to write about it, please contact me.

Things such as stateful inspection (I prefer the term dynamic firewalling) can
be implemented in userspace using this library. Other nifty ideas include
controlling
packets on a per-user basis by doing a lookup in a userspace daemon. This should
 be pretty easy. "

It then gives a link to a site with such a userspace project.

                         Ryan