At 02:34 10.11.2001, you wrote:
>Unfortunately, IPCHAINS does not have this capability. This is
>known as a "stateful" firewall because it knows about existing
>connections.
>
>The good news is that IPTABLES which is delivered with Redhat 7.1,
>7.2 and other linux distributions does have this capability. It
>is known as connection tracking.
>

Unless I'm totally mistaken, IP MASQ with Iphcains does achieve
that in practice. You can't do it to the firewall host itself, but
other hosts behind it. IP MASQ a one form of NAT
that comes with ipchains.

Atleast my firewall has rules that make it possible to
iniate connections from hosts behind it, while the firewall
host does  reject/deny connection attempts iniated outside.
Unless I want to open certain ports to firewall host of course.

One can also define to IPMASQ which ports/protocols are
forwarded from internal network.  All this does work from with
my humble Debian Potato with kernel 2.2 while using ipchains.

Since I'm not a expert with firewalls and I've not really
looked IPTABLEs, what benefits moving to  IPTABLES
gives to person who has above network configuration?


Antti




>On Fri, Nov 09, 2001 at 11:46:28AM -0500, Sam Mabjish wrote:
> >
> > Hi,
> > I am using Linux IPCHAINS version 1.3.8.
> > I am having trouble coming up with rules to DENY
> > sessions originating somewhere on the Internet
> > outside my network.
> > But at the same time, I do NOT want to DENY traffic
> > coming back to my network for sessions that originated
> > from machines on my network.
> > I do not know if this function is available in IPCHAINS.
> > Can it be done?
> > Can you please help!!
> > What syntax should I use?
> > Thank you in advance
> >
> > _______________________________________________
> > Firewalls mailing list
> > [EMAIL PROTECTED]
> > http://lists.gnac.net/mailman/listinfo/firewalls
>_______________________________________________
>Firewalls mailing list
>[EMAIL PROTECTED]
>http://lists.gnac.net/mailman/listinfo/firewalls

_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls

Reply via email to