Re: linux Masq == stateful filtering ? ( NEWBIE )

Aaron C. Springer Mon, 10 Jan 2000 21:21:24 -0800
agreed

BSD is indeed much faster...

http://www.anzen.com/research/research_perform.html

acs

On 10-Jan-00 Jason Axley wrote:
> Stateful filtering is about much more than just maintaining a state table
> for the TCP/IP level (which is what NAT and masquerading do).  The masq
> modules that allow higher-level protocols to operate in masqueraded mode
> (like FTP and RealAudio, etc.) are only concerned with *allowing* those
> protocols.  They are not at all in the business of denying or
> intelligently filtering those protocols.  Here is at least one test of
> whether you have a stateful filtering system or not:
> 
> Can you say "allow ftp" but not have to open up all ports 1024-65535 to
> allow ftp to work?  Stateful filtering will allow you to do this by only
> opening up a high port for a given FTP session by looking at the FTP
> protocol requests.  Linux masquerading and NAT won't help you here.
> 
> Additionally, ipfilter only appears to work on linux 2.0.3x kernels and
> has not been ported to newer kernels.  You'd be better off using a BSD
> *NIX where ipfilter is natively supported (and networking performance is
> better--flamesuit is on:  read the MindCraft benchmark results).
> 
> -Jason
> 
> On Mon, 10 Jan 2000, Aaron C. Springer wrote:
> 
>> Date: Mon, 10 Jan 2000 09:31:58 -0800 (PST)
>> From: "Aaron C. Springer" <[EMAIL PROTECTED]>
>> To: Helmut Springer <[EMAIL PROTECTED]>
>> Cc: firewalls <[EMAIL PROTECTED]>
>> Subject: Re: linux Masq == stateful filtering ?    ( NEWBIE )
>> 
>> Just use ipfilter
>> 
>> acs
>> 
>> On 10-Jan-00 Helmut Springer wrote:
>> >> But the NAT makes the IPChains in Linux statefull, since it knows how
>> >> to handle fragmentation, window and syn/ack tracking.
>> > 
>> > yup, it does feel like a kludge though to add a state machine by adding
>> > a masquerading (many2one NAT) stage  8-/
>> > 
>> > -- 
>> > MfG/best regards, helmut springer
>> >                                             [EMAIL PROTECTED]
>> >       
>> >                    "Freedom's just another word for nothing left to lose"
>> > -
>> > [To unsubscribe, send mail to [EMAIL PROTECTED] with
>> > "unsubscribe firewalls" in the body of the message.]
>> 
>> 
>> _______________________
>> Aaron C. Springer
>> [EMAIL PROTECTED]
>> pgp key published
>> _______________________
>> -
>> [To unsubscribe, send mail to [EMAIL PROTECTED] with
>> "unsubscribe firewalls" in the body of the message.]
>> 
> 
> 
> AT&T Wireless Services
> IT Security
> UNIX Security Operations Specialist


_______________________
Aaron C. Springer
[EMAIL PROTECTED]
pgp key published
_______________________
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
Re: linux Masq == stateful filtering ? ( NEWBIE )

Reply via email to
