One clarification related to this, whats the difference between advanced string matching capability and L7 filter based firewall ? The obvious difference i see is string matching is a kind of stateless , L7 filter if we are using urls as the strings. if string matching is integrated with ftp/http connection tracking module, do we really need L7 -filter module also ? Thanks in advance for sharing your inputs. Peter chacko. On Wed, Aug 26, 2009 at 2:23 PM, Richard Horton<arimus.uk@xxxxxxxxxxxxxx> wrote: > 2009/8/26 tom murphy <tommurphy105@xxxxxxxxx>: >> Dear experts, >> >> How would one classify netfilter? >> >> Its seems there are at least 3 categories of firewall: >> 1) packet filter (stateless filtering) >> 2) stateful filter >> 3) appliaction-level filter (aka. proxy filter) > > And as outlined by yourself and below by me... ipt is atleast 2 of the 3. > > [snip] >> Any opinions or comments on helping me pigion hole Netfilter/iptables. >> Perhaps stateful filter implies packet filter also. > > Just my personal opinion but for a firewall to be a stateful firewall > it must by definition carry out packet filtering. > > iptables in its base form is a packet filtering firewall. Add the > conntrack support and it becomes a stateful firewall. Add the advanced > matching abilitiy and the L7 capability and it becomes an application > firewall. > > I'd be inclined though to classify ipt as a stateful firewall though > for most uses as the application firewall ability is provided by > additional components and may, depending on definition, not fully > qualify as an application firewall. > > > > > > -- > Richard Horton > Users are like a virus: Each causing a thousand tiny crises until the > host finally dies. > http://www.solstans.co.uk - Solstans Japanese Bobtails and Norwegian Forest Cats > http://www.pbase.com/arimus - My online photogallery > -- > To unsubscribe from this list: send the line "unsubscribe netfilter" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html > -- Best regards, Peter Chacko NetDiox computing systems, Network storage & OS training and research. Bangalore, India. www.netdiox.com 080 2664 0708 -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
