On Thu, Oct 19, 2000, Shachar Shemesh wrote about "Re: firewall":
> Duplicating exactly the FW-1 functionality in an opensource project is not
> practical, due to a patent on stateful inspection. This gives the FW-1 product
> the ability to open specific ports that would normally be blocked, because, for
> example, an FTP protocol request required that port. If you wanted to support the
> same protocol with a static packet filtering firewall (such as IPChains), either
> this, or probably a lot more, ports would have to be permanently open. To the
>..
I don't know anything about the patent, but Linux already has "stateful
inspection", in its masquarading code. If you have a linux firewall, and
a network of other computers behind it, Linux does IP masquarading very
nicely, and knows to allow incoming packets only on open sessions. You also
have "masq" modules that can allow incoming packets/connections "related"
to an open session - for example, FTP needs another port opened besides the
one you're opening.
Unfortunately, ipchains itself does *NOT* support sessions, so you can't
allow, for example, incoming packets (destined for the LINUX HOST ITSELF,
not masquaraded hosts behind it) to be allowed only if the local host opened
the port first. Iptables, the firewalling code in the 2.4 kernel, will
support this, and I'm really looking forward for it - I'm not sure if FW1
will have anything better in the firewall area than Linux after that (and
I'm not talking on VPN or proxy support now).
But ipchains works very nicely even without supporting sessions. One very
important feature that you should be aware of is the "-y" option, that
allow incoming packets, but not incoming TCP packets with SYN on (i.e., even
if the attacket sends packets to some open port, and even if something is
listening on that port, the attacker will *not* be able to make the connection!
For example, to safely allow HTTP connections to port 80 on other computers
(without having to hassle with proxies, etc.), and data returning to your
own port, use the ipchains rules:
-A output -p TCP --dport 80 --sport 1024: -j ACCEPT
-A input -p TCP ! -y --sport 80 --dport 1024: -j ACCEPT
--
Nadav Har'El | Thursday, Oct 19 2000, 20 Tishri 5761
[EMAIL PROTECTED] |-----------------------------------------
Phone: +972-53-245868, ICQ 13349191 |A city is a large community where people
http://nadav.harel.org.il |are lonesome together.
=================================================================
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]
