Re: linux Masq == stateful filtering ? ( NEWBIE )

Jason Axley Mon, 10 Jan 2000 19:01:17 -0800
Stateful filtering is about much more than just maintaining a state table
for the TCP/IP level (which is what NAT and masquerading do).  The masq
modules that allow higher-level protocols to operate in masqueraded mode
(like FTP and RealAudio, etc.) are only concerned with *allowing* those
protocols.  They are not at all in the business of denying or
intelligently filtering those protocols.  Here is at least one test of
whether you have a stateful filtering system or not:

Can you say "allow ftp" but not have to open up all ports 1024-65535 to
allow ftp to work?  Stateful filtering will allow you to do this by only
opening up a high port for a given FTP session by looking at the FTP
protocol requests.  Linux masquerading and NAT won't help you here.

Additionally, ipfilter only appears to work on linux 2.0.3x kernels and
has not been ported to newer kernels.  You'd be better off using a BSD
*NIX where ipfilter is natively supported (and networking performance is
better--flamesuit is on:  read the MindCraft benchmark results).

-Jason

On Mon, 10 Jan 2000, Aaron C. Springer wrote:

> Date: Mon, 10 Jan 2000 09:31:58 -0800 (PST)
> From: "Aaron C. Springer" <[EMAIL PROTECTED]>
> To: Helmut Springer <[EMAIL PROTECTED]>
> Cc: firewalls <[EMAIL PROTECTED]>
> Subject: Re: linux Masq == stateful filtering ?    ( NEWBIE )
> 
> Just use ipfilter
> 
> acs
> 
> On 10-Jan-00 Helmut Springer wrote:
> >> But the NAT makes the IPChains in Linux statefull, since it knows how
> >> to handle fragmentation, window and syn/ack tracking.
> > 
> > yup, it does feel like a kludge though to add a state machine by adding
> > a masquerading (many2one NAT) stage  8-/
> > 
> > -- 
> > MfG/best regards, helmut springer
> >                                             [EMAIL PROTECTED]
> >       
> >                    "Freedom's just another word for nothing left to lose"
> > -
> > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > "unsubscribe firewalls" in the body of the message.]
> 
> 
> _______________________
> Aaron C. Springer
> [EMAIL PROTECTED]
> pgp key published
> _______________________
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
> 


AT&T Wireless Services
IT Security
UNIX Security Operations Specialist

-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
Re: linux Masq == stateful filtering ? ( NEWBIE )

Reply via email to
