A firewall rule is a line. Like a line in a database which stands for a record.
Or a line in a lookup table. A rule in a firewall which is always part of the kernel determines the action on a packet as and when a packet hits the kernel's networking stack. So the low level kernel routines check for the packet's acceptance. For instance, a packet could be silently dropped, rejected with a packet sent to the source or it could be passed silently. Typically packets are filtered both at the ingress and egress paths. It could get rejected at any time. Any communication on the network happens in both ways. A TCP setup involves three packets going in two directions. That is why we face networking problems and TCP will not work when we get routing wrong. You can decide in a firewall to drop early, do not allow packets to come with a certain characteristic. This is good. But sometimes you cannot know how healthy a packet is until it goes out; then you can block it then. If you block at any point, the TCP connection establishment phase fails and your rule is successful. But poorly written firewall rules can be circumvented since even for me, getting a firewall rule right takes a lot of trial and error and mistakes and I simply lack experience, common sense and reasoning for that. Reason is simple. Firewall rules require a lot of logic, just like programming. And you all know how hard it is to get code working correctly. It is always an embarrassment particularly for someone of my age but I learn to live with it. Perhaps one day... Anyway now, firewall rules cascade. Which means that all the rules are evaluated and the last rule could drop or allow. Which means that writing firewall rules now become more complex. You can make a short circuit rule also which passes the packet to kernel without further if conditions. And any good firewall maintains states even for non TCP traffic and that greatly improves rule evaluation and performance. Finally a firewall is what I talked about. Now in Linux people are confused bringing in userland, SIP and FTP rewriting, mixing userland and kernel and so on. That is not a true firewall... -Girish -- Gayatri Hitech http://gayatri-hitech.com _______________________________________________ ILUGC Mailing List: http://www.ae.iitm.ac.in/mailman/listinfo/ilugc
