/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting! */ Good day, Samuel, The following is based on my best understanding of the issue and the packages - corrections are welcome. On Thu, 18 Nov 1999, Samuel Patton wrote: > This is a general question about ipchains. Does ipchains provide static or > dynamic packet filtering? Also are there future plans for ipchains to > support stateful filtering? I assume that your terms "static" and "dynamic" correspond to "stateless" and "stateful". If, on the other hand, "dynamic" means "the kernel can add new rules to itself with no userspace assistance", the answer is no - see Mason in my .sig for that. ipfwadm and ipchains are generally stateless *1. The argument could be made that the ip_masq_ftp/irc/etc. modules add some stateful ability to an ipfwadm or ipchains firewall, but that ability would at best be limited to those protocols. Even in those cases, the ports may still need to be opened beforehand. netfilter/iptables does include stateful inspection. The state module (try iptables -m state -h) provides the additional states of NEW, ESTALISHED, RELATED and INVALID. For the first time in Linux packet filtering, we have the ability to have a single rule for the first packet and match all the rest by ACCEPTing ESTABLISHED packets. Rusty has a general connection tracking architecture in place. I _believe_ that additional modules are planned to handle the particular needs of some of the more exotic protocols (Perhaps Tridge can offer some insight on SMB!), but the current package seems to handle ftp and the standard single port connection protocols just fine. netfilter/iptables is still under development, but it's stable enough to start using it on non-production machines. You'll need a 2.3.x kernel (I'd suggest 2.3.24-2.3.26 or 2.3.27) and the netfilter-0.1.12 package from http://www.samba.org/netfilter/ . This site also has information about the netfilter mailing list. Cheers, - Bill *1 Stateless means that the decision about each packet is made based on the characteristics of that packet alone, and does _not_ use information from any previous or future packets. A stateful firewall, on the other hand, keeps track of connections; a given packet might be accepted one day because it's part of an established connection, and denied the next because it's not currently part of a connection. --------------------------------------------------------------------------- "Architect: someone who knows the difference between what could be done and what should be done". -- Larry McVoy <[EMAIL PROTECTED]> -------------------------------------------------------------------------- William Stearns ([EMAIL PROTECTED]). Mason, Buildkernel, named2hosts, and ipfwadm2ipchains are at: http://www.pobox.com/~wstearns/ _______________________________________________ Masq maillist - [EMAIL PROTECTED] Admin requests can be handled at http://www.indyramp.com/masq-list/ -- THIS INCLUDES UNSUBSCRIBING! or email to [EMAIL PROTECTED] PLEASE read the HOWTO and search the archives before posting. You can start your search at http://www.indyramp.com/masq/ Please keep general linux/unix/pc/internet questions off the list.
