Re: What category of Firewall does Netfilter fall under?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



>> Its seems there are at least 3 categories of firewall:
>> 1) packet filter (stateless filtering)
>> 2) stateful filter
>> 3) appliaction-level filter (aka. proxy filter)
>
> And as outlined by yourself and below by me... ipt is atleast 2 of the 3.
>
> [snip]
>> Any opinions or comments on helping me pigion hole Netfilter/iptables.
>> Perhaps stateful filter implies packet filter also.
>
> Just my personal opinion but for a firewall to be a stateful firewall
> it must by definition carry out packet filtering.
>
> iptables in its base form is a packet filtering firewall. Add the
> conntrack support and it becomes a stateful firewall. Add the advanced
> matching abilitiy and the L7 capability and it becomes an application
> firewall.
>
> I'd be inclined though to classify ipt as a stateful firewall though
> for most uses as the application firewall ability is provided by
> additional components and may, depending on definition, not fully
> qualify as an application firewall.
>
I agree. It was all the additional nuts and bolts that integrates with
Netfilter that was throwing me off.

I guess, Netfilter while it can perform as a proxy (NAT translation)
and provide deep packet inspection on other application-level
services, it is not suited as a proxy in the general sense. For
example, SQUID would be more suited as a web proxy (Cache and Access
Control) rather than trying to bend Netfilter to fall into this role
(performance reasons, granularity etc).

So I guess, I am inclined to say Netfilter is by default a Stateful
Packet Filter (I think conntracking is activated by default in the
kernal) and as a result it also subsumes the traditional stateless
packet filtering capabilities also.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux