Marty was once rumoured to have said:
> your right though. you definately need to adjust the way you approach
> filtering when migrating from ipchains -> netfilter.
>
> BTW: for those that care, the most important point is the way the chains
> work. my understanding of the situation is thus:
Yes. The change is the way the tables/chains work.
[Diagram snipped]
> ie. you now have some sanity in the rules. packets only traverse a single
> default chain depending on where they are headed. so you can change the
> forwarding filter rules without affecting packets heading out of the
> system and you can change the inbound rules without affecting the
> forwarding...
Uh, no. [Not sure about the diagram, but you've missed the important
change].
Netfilter supports stateful inspection - this is a whole new chain of
thought from static ipchains tables - now you can make your firewalls
react with stateful responses in order to seriously improve your
security.
For example, in a stateless firewall, for Normal FTP you'd have:
* allow tcp without a SYN flag set.
* allow tcp SYN outbound to port 21
* allow tcp SYN inbound to ports above 1024 from port 20
This means a skript kiddie with root on a *nix box can attack ports
1024 and above on your machine[s].
Whereas with a stateful inspection firewall
* allow tcp outbound to port 21
* allow tcp inbound to port 1024 or above from port 20
iff a connection from the destination machine to the source machine on
port 21 already exists
[I'm not sure on how these rules are actually written - I'm currently
presenting what I know about stateful inspection]
That skript kiddie can no longer attack your machine, unless you're
FTPing to his host.
Also, it'd be impossible to detect the 'hole' that permits normal FTP
from any other host.
Stateful inspection firewalls are good. mmkay?
--
--==============================================--
Crossfire | This email was brought to you
[EMAIL PROTECTED] | on 100% Recycled Electrons
--==============================================--
--
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug
