Firewall Wizards mailing list archives
IPChains SPF (was Re: COmpare Firewalls)
From: "Ryan Russell" <Ryan.Russell () sybase com>
Date: Mon, 6 Sep 1999 21:38:25 -0700
At least a couple of people have mailed me to correct my claim about IP Chains being a Stateful Packet Filter (as opposed to a non-stateful packet filter.) IP Chains by itself, out of the box is not stateful. It makes all decisions based on the current packet. It even needs the kernel to defrag for it, though it can make some simple decisions about fragments. If you include IP Masquerade as a companion to IP Chains, that DOES add stateful capabilites, but only for the NAT portion. For folks who are interest in real stateful capabilites in IP Chains, check out this section of the HOWTO: http://www.rustcorp.com/linux/ipchains/HOWTO-5.html#ss5.8 Here's an excerpt: "There is a userspace library I have written which is included with the source distribution called `libfw'. It uses the ability of IP Chains 1.3 and above to copy a packet to userspace (using the IP_FIREWALL_NETLINK config option). The mark value can be used to specify the Quality of Service parameters for packets, or to specify how packets should be port-forwarded. I've never used either, but if you want to write about it, please contact me. Things such as stateful inspection (I prefer the term dynamic firewalling) can be implemented in userspace using this library. Other nifty ideas include controlling packets on a per-user basis by doing a lookup in a userspace daemon. This should be pretty easy. " It then gives a link to a site with such a userspace project. Ryan
Current thread:
- IPChains SPF (was Re: COmpare Firewalls) Ryan Russell (Sep 07)