>> Yes, yes it is. The reason is simple: a Linux firewall
>> (ipfwadm/ipchains) does exactly that. It firewalls. Nothing more.
>> Which follows the whole Linux/Unix philosophy -- do one thing, and do
>> it well.
>
> There is the issue of masquerading/NAT. For example, I'll use OpenBSD in
> this case, since I know it a bit better. When using NAT (masquerading
> masquerading under a different name), one has the option of redirecting to
> a program, such as Squid (caching); I know Linux has similar options.
> Squid, in turn, checks for any web pages (non-dated) cached, finding it,
> sends it to the one that requested it, otherwise it does the request from
> the internet itself. This can be, and generally is preferred to be,
> completely transparent to the subnet behind Squid/NAT. But it also allows
> a slew of other options, particularly with respect to protocol checking
> and filtering.
>
> (The trick is to figure out the precedence, particularly with respect to
> NAT/filter rules; which happens first? But that's a whole different topic
> altogether.)
>
> Alas, I'm sure that's not what you need to hear about, but it is useful to
> know (in my humble opinion).
>
>> > For Linux plataforms Are there only packet filters firewalls? or Are there
>> > Proxy and stateful?
>>
>> Think about this... you said that Checkpoint has released Firewall-1
>> for Linux. Is it a packet filtering firewall? Or a proxy firewall?
>> Or is it both? (which I believe it is)
>
> CP FW-1 is both. :-) I don't know if it has been released under Linux,
> but it works under Solaris, and as such it'll most likely port to Linux
> quite well.
>
> Ipchains is a packet filter, and has no higher protocol recognition than
> TCP/IP,UDP, and ICMP, as far as I know. Which is where things like Squid
> come in, acting as a caching proxy.
<reference to your first point> Yes, I agree. But I will still state
that ipfwadm/ipchains/ipfw/ipfilter/whatever is firewalling. And it
doesn't do anything else, really. It bends the focus a bit by
redirecting to a program, but all it does is redirect packets. It
doesn't actually do any of the caching itself.
>> As for the stateful packet filtering, I've always not understood that.
>> So long as you can specify IP flags within your filtering rules, it is
>> technically a stateful firewall. You just need to specify the SYN and
>> FIN flags.
>
> Not quite true about the SYN/FIN flags, although they are an (the)
> indication of packet state, the 'keep state' also keeps track of the order
> of the packets, and packets that are (reasonably) out of order are bounced
> (note, however, that some duplicated packets tend to make it through on
> buggy connections, with some NATs).
Thanks. I thought there'd be more to it than flags.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
