>> Its seems there are at least 3 categories of firewall: >> 1) packet filter (stateless filtering) >> 2) stateful filter >> 3) appliaction-level filter (aka. proxy filter) > > And as outlined by yourself and below by me... ipt is atleast 2 of the 3. > > [snip] >> Any opinions or comments on helping me pigion hole Netfilter/iptables. >> Perhaps stateful filter implies packet filter also. > > Just my personal opinion but for a firewall to be a stateful firewall > it must by definition carry out packet filtering. > > iptables in its base form is a packet filtering firewall. Add the > conntrack support and it becomes a stateful firewall. Add the advanced > matching abilitiy and the L7 capability and it becomes an application > firewall. > > I'd be inclined though to classify ipt as a stateful firewall though > for most uses as the application firewall ability is provided by > additional components and may, depending on definition, not fully > qualify as an application firewall. > I agree. It was all the additional nuts and bolts that integrates with Netfilter that was throwing me off. I guess, Netfilter while it can perform as a proxy (NAT translation) and provide deep packet inspection on other application-level services, it is not suited as a proxy in the general sense. For example, SQUID would be more suited as a web proxy (Cache and Access Control) rather than trying to bend Netfilter to fall into this role (performance reasons, granularity etc). So I guess, I am inclined to say Netfilter is by default a Stateful Packet Filter (I think conntracking is activated by default in the kernal) and as a result it also subsumes the traditional stateless packet filtering capabilities also. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html