Why iptables (Linux 2.4 Firewalling) Rocks 209
Jay writes: "There's a story on Linux 2.4's new Stateful firewalling.
Rusty and friends have vastly improved Linux capabilities, allowing it
to filter against many stealth scans and DoS attacks. Their code rewrite brings powerful "stateful" firewalling that was originally impossible under Linux. The muchly improved packet mangling allows
not only better transparent proxies, but load-sharing clusters and stuff. Actually, the coolest thing about the new architecture is that it's designed so anybody can add filtering methods, for stuff like rate limiting and MAC address-based filtering."
MAC filters (Score:1)
On a side note, is there any downfall to this?
If this is so great... (Score:1)
Sounds like they're choosing to keep a firewall full of holes just because its stable(r). However if someone breaks in, what price stability ?
Transparent Proxies aren't such a Good Thing (Score:4)
Re:Way to catch up guys (Score:2)
"Building Linux and OpenBSD Firewalls" by Wes Sonnenreich, Tom Yates is a good resource that explains all this.
BdosError
Re:MAC filters (Score:4)
Of course, this eliminates a good portion of those who would try to hack in. Just don't rely on it to be fool-proof.
I was always tempted to use a laptop running Linux to spoof one of the main campus Unix systems at Dartmouth when it went down for backups, but never did. (I think they had some public systems on the same subnet as the machine room.)
iptables-save (Score:1)
--
Stateful firewalling. (Score:4)
As it stands now (or previously... in ipchains), rules were defined in a way that could be reduced to a regular expression, which as everyone knows are fast and don't require a stack to interpret.
However, as soon as you introduce "state" into a grammar, you require of yourself a stack, which means that additional memory is going to be needed to store these values to aid in parsing the grammar.
This doesn't sound too bad, even though it may slow the process of packet interpretation, but it seems like there still would be a signifigant performance hit on busy servers.
Also, since these rules have state, I wonder if there will be ways send packets that will cause something similar to a stack overflow (infinite recursion) by sending it a quasi-infite series of packets.
(Imaging sending a C++ compiler the following ..
[I can't send what I want, a string of open parens, so this will have to suffice. /. lameness filter]
String= (*
Eventually there will be a stack overflow from all the parens.
Re:If this is so great... (Score:1)
As always, a series of tradeoffs.
iptables/ipchains syntax (Score:2)
Now both (iptables, ipf) have states. Can someone infom me about the advantage of iptables over ipf?
---------------------------
"What is the most effective Windows NT remote management tool?
Win2K? (Score:2)
It'd be cool to filter out junk on my Apache/Win2K box. :)
-
-Be a man. Insult me without using an AC.
Re:DIE JON KATZ (Score:1)
---
Oh yeah? Where's the journaling filesystem or SMP? (Score:2)
Each has their strong points. Why not be a little more optimistic about what each can achieve?
Re:Way to catch up guys (Score:2)
Iptables under the 2.4 kernel has impressed me. I use it for a test lab at work, and the first thing I noticed was that it allows active FTP through its implementation of NAT. It's probably due to some funky extension they've added to FTP standards, i'm not sure, nor good enough of a programmer to figure it out from the code... Nonetheless, they've finally made a decent product that starts comparing to the cleanliness and quality of BSD's NAT.
The other BSDs also use the same BSD NAT, however, my last experience of using NAT on FreeBSD (back on 3.3) was that it was quite erratic in behavior compared to the same setup using OpenBSD. I might have been royally screwing something up, too
Re:Stateful firewalling. (Score:5)
(anonymous to avoid giving info about my network)
Re:Way to catch up guys (Score:1)
Grow up....
sure one can purchase a "pre-made" firewall, but to have a computer running Linux gives Administrators more options when working in companies that work with budgets...
Linux And Commercial Firewall Packages (Score:2)
---
IPFiter + Dummy NET (Score:1)
But seriously, any more questions on the maturity/performance of the BSD's networking code? this stuff has been posible for AGES...
A Question -- Can it allow Win2k VPN? (Score:1)
This works fine for web and ssh and outgoing mail and dns and all -- but not when I need to use Win2k's VPN client to establish a tunnel -- my understanding is that the VPN server tries to establish a connection back (expecting to hit Win2k, but hitting to the linux box) which is refused.
How can I configure IPTables so I can tunnel and stay firewalled?
Re:Win2K? (Score:1)
I don't know that you could filter the stuff, but you could at least log it using Snort Win-32 [snort.org].
Re:iptables/ipchains syntax (Score:4)
You can run iptables in Linux.
Linux has its uses, don't get me wrong, but I'll take an OpenBSD firewall over any Linux firewall, regardless of which distro, or firewalling software it runs. The TCP stack in the BSDs is much more robust than the Linux stack, and its just plain faster.
Don't belive me? That's fine, but don't go flaming me unless you have actually used both Linux and *BSD firewalls extensively.
9 little greeblys sitting on a plate...
Re:Ahem.. (Score:1)
Re:A Question -- Can it allow Win2k VPN? (Score:1)
in 2.2 you would use ipmasqadm to forward the ports back from public to private
Why it really rocks! (Score:3)
Re:Oh yeah? Where's the journaling filesystem or S (Score:1)
"That's a great way to make yourself look good. Go from crappy to average, and have the press all over you. Meanwhile, Linux has been doing it all along.."
Not everything done well is revolutionary, but just because it has been done before doesnt make it easier when someone else does it. Sure they *could* have used BSDs ipf. But they didnt. They did it their own way, and it was hard. Just acknowledge the effort. THAT isnt hard. Why not just be happy that there is one less crappy TCP firewalling mechanism in the world. Ever heard of a pat on the back and say "Well done".
---
How does this compare with FreeBSD? (Score:2)
Now: Does anybody here know offhand if the packet filtering support in FreeBSD supports these features? (stateful ftp support, DNS probe rejection, etc...?) i know it has rate-limiting to make DOS attacks not work as well...
Thanks
Re:Win2K? (Score:1)
-
-Be a man. Insult me without using an AC.
Re:A Question -- Can it allow Win2k VPN? (Score:1)
If you have it compiled as a module just insert it. I haven't tried it myself though so I couldn't
say if it works. Last I remember seeing it was
labelled experimental.
**********************************
Re:Linux And Commercial Firewall Packages (Score:1)
Personally i dont know absolutely anything about commercial firewalls except some cheap soho fw's that ive tested but i remember reading just few days ago from /. comments that Nokia's [nokia.com] Firewall-1 solutions are based on linux os and some hardware... This was mentioned in Nokia's mediaterminal thread.
Btw, i dont know if it's really known outside finland but Nokia started it's "Empire" in finland by manufacturing RUBBER BOOTS. I think they still do but businesses have been seperated to different companies ;)
--
Re:Win2K? (Score:1)
You bet your sweet patootie! (Score:1)
9 little greeblys sitting on a plate...
Re:Why it really rocks! (Score:1)
Re:Win2K? (Score:2)
Re:Stateful firewalling. (Score:1)
Anyway the same goes for other stateful firewalls so if a linux box doesn't cut it for a large company they still have their expensive proprietary solutions, but for a nice home firewall this rox.
I'm sure iptables is great and wonderful, but... (Score:1)
Re:MAC filters (Score:3)
Re:How does this compare with FreeBSD? (Score:1)
stateful inspection (ipf) and rate limiting (dummy net thru ipfw).
ratelimiting agains't many DoS type attacks is actually built into the default kernel.
Re:iptables/ipchains syntax (Score:1)
You can run iptables in Linux.
Actually, non-glibc Linux 2.0.x kernels can use ipfilter as a kernel module.
Linux has its uses, don't get me wrong, but I'll take an OpenBSD firewall over any Linux firewall, regardless of which distro, or firewalling software it runs.
I completely agree, ipfilter has done stateful firewalling for a long time now, where Linux has just added it. I'll take the more tested codebase any day, it's only logical.
Re:MAC filters (Score:1)
Why not go to the wiring closet and remove the jumper cable between the patch panel to your switch/hub on those ununsed ports?
Re:Oh yeah? Where's the journaling filesystem or S (Score:1)
OK. ipchains is a good effort. It still isn't as good as ipf.
Iptables, user-space queueing, and reiserfs (Score:4)
I needed to block a list of thousands of ip addresses at the firewall. Here's how I did it:
First, I read the sample code for how to implement user-space queueing. That's where you pass a packet to a user-space program so it can decide what to do with it. Then I made some trivial changes to that program so that it looks for a file in a certain directory with a name equal to the IP address in the packet header.
If the file exists (i.e. an open() call succeeds), then the packet is denied; otherwise it is allowed. Anytime I want to add a new IP address to the blocking list, I just create a file in that directory. Since I run reiserfs, the test for file existence is as efficient as a hashtable lookup, but much simpler to code.
Not as sophisticated as a commercial firewall program, but not as much overhead, either. (Simplistic) benchmarks show no significant increase in network latency. Works for me!
Re:I'm sure iptables is great and wonderful, but.. (Score:2)
Re:thanks (Score:1)
Re:Why it really rocks! (Score:2)
Bill - aka taniwha
--
For the really important question!!! (Score:1)
I have to have my priorities in order
Re:I'm sure iptables is great and wonderful, but.. (Score:1)
very friendly way of specifying firewall rules, regardless of what the underpinnings are (ipchains, iptables)
Cowards... (Score:1)
And .mp3s - real valuable since you are sharing them with Napster anyway, why not just open Windows file shares or Samba to the whole world? Shouldn't open source types who want information to be free lead by example?...
Re:Win2K? (Score:2)
Older (386, 486) hardware? (Score:2)
I remember when 2.2 series came out, many were saying to stay at 2.0.x for pre-pentium hardware because 2.2 would just not run adequately. Was this true in the first place, and does 2.4 'raise the bar' at all for hardware requirements?
I only ask because my linux firewall/masq box for my cable at home is running a 2.0.36 kernel on a 386 and there probably isn't any hope.
For a while I was using a P-150 running a 2.2.x kernel (RedHat 6.2 install, probably) and ipchains seemed to be much better than ipfwd.
At some point I decided I needed that box for another project, so I dusted off that crap old Compaq (a laptop, no less!) and pressed it into service as my masq box using a docking station (two ISA slots, WOOHOO!) and a couple of $7 SMC cards and slink. It works great as long as I don't try anything fancy.
But, the question is... what is a reasonable amount of hardware to expect to have to use for a 2.4-kernel firewall? I'd love to play with this. Think a 486-100 w 32Mb would be enough? It's not doing much, just sitting around for compiling kernels for the 386.
Re:A Question -- Can it allow Win2k VPN? (Score:3)
It can be done, but a 2.2 kernel needs to be patched to do it. I've not tried it, but the 2.4 kernel should allow you to "port-forward" the tcp connection and the GRE tunnel back to the Win2k system.
Just keep in mind that there's no connection tracking, so it has to be the same Windows system making the VPN each and every time, and one and only one VPN can be going at any one time.
I Can Hear It Now (Score:2)
I bet by the time I'm done typing and hitting submit there will be several posts saying something like this. Why can't everyone stand back and go "great job guys for implementing it on a new platform!" instead of "you lamers...we had this X years ago". If they had implemented this on MacOS(random OS picked off the top of my head) would the BSD guys say the same thing?
Re:MAC filters (Score:1)
Re:I'm sure iptables is great and wonderful, but.. (Score:4)
I, just like you, got really tired of editing scripts all day long, the end result is this GNOME program. First the program presents a wizard for quickly setting up a firewall, then you can monitor the firewall hits you get and close/open/stealth ports with just a few clicks. Easy of use was the goal with this program.
Re:Yep, big problem (Score:2)
in that's big-endian, like say from Solaris (the most popular Internet platform) the translation must occur before any filtering gets done. So a saavy hacker can mount an attack from any Solaris box and easilt Ddos any Linux box by doing a reverse htons() packet flood.
Nope. Just store the targets in network order and do a normal compare. All that matters is that the target list (hash or whatever) and the packet be in the same order.
Re:Oh yeah? Where's the journaling filesystem or S (Score:2)
Re:I Can Hear It Now (Score:3)
Yes, it's a good thing. Congratulations Linux folks, I'm sure you did a good job, having stateful firewalls are handy for everyone to have. I don't mean to say the typical "we've had this for X years"
My issue was, and still is, mainly with the slashdot title. Why it rocks. It doesn't generally rock, it just rocks compared to the implementation in Linux 2.2.
Now, if the article had been "Why it's a great improvement over 2.2" that would have been great, and I would have continued on my day. But the fact that the title makes it seem revolutionary, when it's actually quite evolutionary, made me step up to the plate.
What rocks? Stateful firewalling. Does the article discuss Linux's implementation in detail, explaining why it's better than other stateful filters? No. It discusses the old and proven technique of stateful firewalling, and therefore tries to further Linux based on that alone.
Re:Stateful firewalling. (Score:2)
You should also consider that your firewall should be just that, and nothing else. No X, no Apache, no extraneous servers that don't need to be running on that particular machine.
YMMV - but a firewall, even one that keeps state, is not an especially computationally intense undertaking.
Re:networking Linux vx networking *BSD (Score:2)
If you've got numbers, and the testing details that produced them, I'd like to see them.
Re:iptables/ipchains syntax (Score:2)
I don't think Linux 2.4.x has been out there long enough for anyone to be making absolute statements about which TCP stack is more robust or fast... but remember, the Linux 2.4 TCP/IP was specifically rewritten to be very fast and highly deserialized (i.e. SMP-capable) so even if [Open,Free]BSD TCP/IP was faster and better, it might not be now.
Especially on SMP hardware, which current BSD's don't support. And even though I'm not flaming you, I should mention that I have used both Linux and BSD for firewalls. Currently my firewall is OpenBSD, and I'm not in any rush to change it - not much need for speed on a DSL connection.
Torrey Hoffman (Azog)
FTP is really a bad example for statefull firewall (Score:2)
Also, "limit the number of SYN packets from a single source" doesn't really help in defending the DoS attack. The attacking machine doesn't use its real ip as the source ip nor does it use a single source ip.
I agree with other posters: iptable is playing catch up with ipfilter.
Why iptables (Linux 2.4 Firewalling) Sucks (Score:4)
I was eagerly waiting for Linux 2.4 from the day I heard somewhere it would support ipfilter. I run mostly BSD boxes, due to personal preference, while still keeping a few Linux systems up and running. All systems run perfectly well and cause me little grief, if any at all.
However, once again the Linux camp is "doing things their own way" and contributing even more to the separation between different Unix flavors (as well as making those sigs that go something like "Linux - the Unix defragmentation tool" even funnier). Don't get me wrong, iptables seems to have a few cool features that are not present in ipfilter, but just why was ipfilter not used instead ? It is present in a few platforms already (runs on all BSD's, as well as Solaris / SunOS and IRIX), it is tried and tested, and it does most of the stuff iptables does. And it can probably be extended to do everything iptables does as well, with some extra work. But the Linux folks, however talented and bright they undoubtedly are, and however good a kernel they have produced, have just taken a completely silly route this time. Not only have they duplicated effort towards the same (or at least, a very similar) end, they have also created another headache for busy sysadmins who maintain a few different systems. I had high hopes on ipfilter being "officially" supported under Linux (the ipfilter code mentions sketchy support for Linux, which I have admittedly not tested, but from the looks of it it has not been maintained for a long time --- the most recent kernel mentioned in the HISTORY file is 2.0.34, the last reference to Linux appears in 1998), but now I will be forced to get rid of the only Linux box I still maintain as a server (for various reasons, none of which related to the quality of the OS --- that little box has run great for ages, and causes me no grief at all) if I ever need firewalling for it. Yes, I could learn to work with iptables (and I probably will anyway, out of curiosity), but the Linux folks could probably learn to cooperate better with the rest of the world in certain aspects. It really is a shame, because I honestly think Linux is great --- the mindset of some of it's users (and by the looks of it, some developers as well) is however a different matter...
Re:How does this compare with FreeBSD? (Score:2)
i know it has rate-limiting to make DOS attacks not work as well...
I'm sorry, but once that barrage of packets is queued up at the remote end you have NO hope in averting it. rate-limiting only works if you are doing the rate-limiting on the remote end of the network.
On a slightly different note: I've considered going to BSD firewalls off and on over the years since learning about Linux and Unix in general but I haven't been able to find a really strong reason to. Ok it's more mature. Sure it's got a better stack. But honestly, unless you're running on super fast networks the Linux stack seems good enough and Linux seems mature enough. A reasonably-skilled admin can lock it down and anything short of a kernel exploit keeps it secure. For me, it just doesn't seem worth it to pick up an entirely new OS.
Yeah it smells like firelighters but I'm being honest. Anyone who's been on /. as long as I have should know that I'm no troll. Are there any really convincing reasons to move to BSD?
he meant shitty SMP support, not no SMP support (Score:2)
Bits per Byte (Score:2)
While it's true that it is usually 10 bits per byte on asynchronous links (1 start bit, 8 data bits, 1 stop bit, no parity), that's not true for things like leased lines. They use synchronous serial communication, so it is 8 bits per byte. IIRC, ISDN is also synchronous, but I don't know about some of the newer signaling schemes.
Just tryin' to keep the math straight.
2.4 Linux Kernal too big for LRP! (Score:3)
(LRP is the Linux Router Project at http://lrp.c0wz.com/ [c0wz.com] a kick ass firewall/router/NAT distro that needs a single floppy, 486 or better, 2 nics, and NO harddrive!)
Joshua Jackson, of the impressive www.coyotelinux.com [coyotelinux.com] LRP distro, [coyotelinux.com]
said "I wish I could move to the 2.4 kernels for Coyote, but not in the floppy version I am afraid. By the time you get all of the necessary options built into the kernel, it is roughly 350kB larger than the 2.2 kernel... in addition, the full iptables and iptroute2 package are quite a bit larger than their 2.2 equivs. The Embedded project is already running on the 2.4.0 final kernel, but it does not run from a floppy."
-Nathaniel
Bummer for the rest of us.
Re:Older (386, 486) hardware? (Score:2)
Thanks, I might just do that. It is a 4Mb machine with a 6Mb add-on card (25 Mhz, 500 Mb drive, of which over 1/2 is trashed - I installed a 50Mb root part on the internal drive then have a 200Mb IDE drive sitting in the docking station with the rest of the OS and swap on it - picked the thing up for $5 at a garage sale, not working).
Someone asked why I didn't run *BSD... cause I wasn't smart enough to figure out how to install it! Now, I'm not saying I'm too stupid to install BSD - I've actually got a OpenBSD 2.6 install on a PPro-200 that I play with. Problem was installing on this low-mem machine.
It died at the end creating the
I _really_ wanted to give BSD a try - I've obviously heard a lot about it. In the end I installed Debian and got it to work and put it in service and have since forgotten about it.
Now I've got this 486, I'll have to decide... oh - maybe I'll find something more productive to do with my free time like play WarcraftII again
Remasqing Packets (Score:3)
I am trying to find out if iptables does remasqing: Masquerading a packet with a destination back inside the masq'd LAN.
I know ipchains doesnt do this, and its been a considerable headache. Some of the things I cannot do are:
I know there is a kernel patch for 2.2 that will introduce this ability, but it breaks the ipchains code's security.
Looking at the way iptables works, I think this should be possible (Port forwarding would be done before routing, and masqing done post-routing), but it is not addressed specifically anywhere that ive seen.
Anybody know?
Disclaimer: Ive asked this question before on K5, but nobody seemed to have a ready answer. Maybe the broader audience
Then where are the SPECweb benchmarks for BSD? (Score:2)
Re:Oh yeah? Where's the journaling filesystem or S (Score:2)
Actually dual Celeron and P2/P3 Linux boxes are pretty common. While certainly not everyone has one, I do, and I probably know at least 6 or 7 other people who do as well.
Deciding what a 'typical' user is, now that is the problem.
FTP monitoring is BAD! (Score:5)
All that being said, I have a major problem with this article. It seems to suggest to users that FTP monitoring to handle active FTP clients is a good idea. In fact, this is a *terrible* idea. I got to watch Dug Song et al at BlackHat walk right through a CheckPoint FW1 system like it wasn't even there by exploiting some assumptions that FW1 made when monitoring FTP for the PORT commands. It sounds to me like the netfilter/iptables support for FTP functions in a very similar manner as FW1. If you must support FTP through your firewall, make your users use passive FTP. Every modern FTP client and every modern FTP server that I've seen all support passive FTP. Of course, a better approach is to encourage secure communications, like scp or SSL.
Bottom line, the best firewall design is the simplest one possible that gets the job done. Adding neato features like payload monitoring to poke extra holes in the firewall is diametrically opposite this philosophy.
Also, please remember that a firewall only serves as a method of blocking traffic between network segments. It does not magically secure network traffic from viewing, spoofing, manipulating, or hijacking (you need to use protocols that support strong authentication and strong cryptography to achieve this). It does not secure the applications or systems which you allow traffic to touch (you need to use secure OSes under secure configurations to accomplish this). It does not magically protect your systems against insider threats (you need to have good people working for you, restrictions on outside connectivity, and thorough physical security to accomplish this). Remember, crunchy on the outside and soft and gooey on the inside is great for candy, bad for networks.
Re:Why iptables (Linux 2.4 Firewalling) Sucks (Score:2)
Re:Why iptables (Linux 2.4 Firewalling) Sucks (Score:4)
Being compatable at the cost of better functionality isn't allways a good idea. Would iptable's "cool new features" have fit into the ipfilter framework? Is there some fundomental reason that iptable might be faster, or even just simpler to implment?
I don't even run Linux (three diffrent BSDs, no Linux), but I wouldn't want them to give up useful features just to stay compatable with me any more then I would want FreeBSD to adopt some else's FireWire framework if that framework could never do foo, or was boud to allways suck in some way.
In fact OpenBSD has a framework for Crypto cards. It works great for IPSEC, but poorly for other things (like cryptoFS, or userland crypto apps). If FreeBSD adopted it as is they would get half a dozen working crypto cards, bitchn' fast IPSEC. I think it would also be a giant mistake. I would rather end up with an incompatable framework that is better, then a compatable one that isn't so hot. It would be nice if the new one was very similar and could be "backported" to OpenBSD if they were so inclined...
Sometime the first implmentation isn't such a good idea, so the second should be diffrent. Or the third, or the sixtyith. That is why we run Unix-like OSes rather then TOPS-8086.
Re:MAC filters (Score:2)
Some cards even explicitly give you the option to change it (although they shouldn't).
The MAC address is part of the lowest and therefore hardware level of the ethernet.
Normally, a ethernet-adapter filters any packages which are not targeted for its MAC address(although even this behaviour can be altered).
Furthermore, any package send contains the MAC address of the sender. This all happens in hardware and is the ethernet-protocol.
The change of the MAC address in the OS should only affect the ARP request, which translate an IP-address into a MAC-address.
Re:system call overhead (o/t) (Score:2)
cool hack, too.
"If ignorance is bliss, may I never be happy.
Re:system call overhead (o/t) (Score:2)
'stat' may have more overhead than the 'open' call, depending on the implementation of your filesystem. So it's probably just fine to keep that 'open' call the way it is.
Re:Why iptables (Linux 2.4 Firewalling) Sucks (Score:3)
It might not neassesarely be a bad idea.
I will write a few analogies, but basicaly my response is
Competition is good
If you buy into that, you dont have to read on, if not, please do.
Why even have Linux in the first place, we have BSD. But wait, there is 3 BSD's, (there was 4), BSDi/FreeBSD, OpenBSD and netBSD??
But BSD is just a further devellopment of earlier *nix systems (i'm not too knowledgeable of the unix history). But Unix was built on Multics, so lets keep that, or better yet, some system before that.
Why do we have xx different OS's ??
One should be enough!
Why do we have xx different webservers ??
One should be enough!
Why do we have xx different GUI's ??
One should be enough!
Why do we have xx (2) different chipmakers ??
One should be enough!
Why do we have xx harddrive makers ??
Why do we have xx monitor makers ??
[high pitched voice getting estatic]
kabinets? keyboards? cola? beer? car?
clothes? tvchannels?
[voice cramming over]
political views ??
[breating normal]
Because, competition is good
It's good having choice, not everyone likes the same, or chooses the same over something else.
Naturaly we can work together, and we should, but that doesnt mean one implementation, one manefacturer,
So, be thankfull for being able to choose, and not having the goverment, or some company choose for you. While the first is becomming less and less apparent in the world, the second is becoming more and more widespread.
And the worst part is that people doesnt seem to care
ion++
Re:networking Linux vx networking *BSD (Score:2)
Re:Remasqing Packets (Score:2)
Not Invented Here (Score:2)
Darren Reed's IP Filter ("ipf") is very cross-platform and not exclusive to BSD. It works with several other *nixes as well.
What's really interesting is that linux used to have stateful firewall support, via ipf! That's right, IPF used to work with Linux. But somewhere along the way with all of the changes to the Linux kernel IPF stopped working and nobody bothered to do the maintainence.
Instead of doing the required work on the mature stateful firewall package that is ipf, the linux folks put up with stateless ipchains for the longest time before finally adding state to ipchains. Shame!
This isn't exclusive to Linux though. FreeBSD's IPFW was made stateful even though IPF has always worked under FreeBSD. Reason? IPFW supports ethernet bridging, while IPF doesn't. No doubt there are similar reasons for ipchains over ipf: filtering based on MAC addresses was mentioned (although the desired results have always been do-able with static ARP).
Instead of re-inventing the square wheel, why didn't these people enhance IPF with the desired functionality? Isn't that what open source is all about? Must NIH prevail???
Re:You sissy!!!! (Score:3)
Wood and metal scraps. Paper. What luxury! We had to scratch the O.S. into stone tablets with just our fingernails, using only zeros and ones. And we never had enough ones. Whenever we ran out of ones, we had to make do with just zeros.
And we'd have given anything to have a gerbil. We had to get a group of half-starved cockroaches running in the same direction on an old 45 RPM turntable, and that's not easy, let me tell you. And for blinking lights, we had to rent fireflies, we couldn't afford to actually buy them outright, you know.
You kids today, you don't know how lucky you have it.
John
Re:Way to catch up guys (Score:2)
Re:Good Point. (Score:2)
The MAC address is hardwired in, but it's the software layers that put the address in the packet or program the Ethernet MAC's registers with most cards. As I understand it, in many cases under Linux, you can change the effective MAC address for a card with ifconfig.
I believe this is the flag that does the magic:
hw class addressDoes that answer your question?
At any rate, I know it's possible to do this by hacking the driver in the kernel (at least for NE2K clones), as I've done this personally in a previous life...
--Joe--
Re:Older (386, 486) hardware? (Score:2)
One of the things I liked when I discovered Linux, was that instead of a 'shiny new things' focus, it was an effort of convergence. Things would just keep getting better, instead of the 'rip out the old one and plug in the new one' ethos of Microsoft's OS products.
So somebody please, do explain why kernel 2.4.0 shouldn't work better and faster in my 386DX-20 than 1.2.28 does....
Tell me it isn't like Microsoft.
Re:Why iptables (Linux 2.4 Firewalling) Sucks (Score:2)
What competition? Iptables has a monopoly on stateful filtering under Linux.
It's not about competition. It's about NIH. That's the only reason I can see why Linux went so long without a stateful firewall instead of doing the maintainence on IPF. Would you suggest that not having stateful firewall should "win the competition" over having a stateful firewall? Apparently it did for over two years, only because the terms of that competition made it counter-productive at best.
I wonder... How many firewalls were left configured to allow all UDP access as long as the sender claimed source port 53, because most mortals didn't know how to permit DNS responses in a stateless config without opening such a wide hole? (FreeBSD's default /etc/rc.firewall used to have just such a hole when ipfw was stateless, but at least ipf was available as an alternative (that's competition)).
Re:Older (386, 486) hardware? (Score:2)
...and the geek shall inherit the earth...
Re:I Can Hear It Now (Score:2)
You don't even realise that people are behind the monitors do you? We're all people you troll. No one is out to get you you paranoid megalomaniac troll.
Try to be an ambassador for whatever your choices may end up being.
Re:FTP monitoring is BAD! (Score:3)
Even worse, payload monitoring and encryption (SSL, IPSec) prevent each other from working. If you're using payload monitoring, encrypted packets will be un-monitorable and things like the "port" command will never be seen, thus preventing the connection from being allowed through the firewall. So in cases where payload monitoring is in place it discourages the deployment of crypto. Likewise, when crypto is deployed it discourages stateful filtering, but that seems to be a relatively good thing because proper encryption should be considered more important than filtering hacks IMHO.
Not all major players allow passive FTP (Score:2)
--
Re:Older (386, 486) hardware? (Score:2)
Yes, indeed. That was my question, not an assertion on my part. I think if you build a kernel with support for everything, needed or not, then you run the risk of maxing out a slower processor. Course, compile in just exactly what you need, should be the same right?
See Windows do that!
Re:FTP monitoring is BAD! (Score:2)
Re:Not Invented Here (Score:2)
The new implementation is not only more flexible and powerfull but much cleaner. I think before the firewall code was spread out in something like 11 different files?
I also like the new abstractions where you just break things down into simple catagories:
You can filter a packet (1)as it comes to the computer or (2)as it leaves. (3)You can filter a packet if it comes from outside and is destined to this computer. (4)You can filter a packet if it comes from outside the computer but is just passing through to another computer. (5)Or you can filter a packet if it was created on this computer.
Simple! Any packet can be fit into at least two of those five catagories.
In Linux 2.2 masquarading was a seperate hacked on peice of code. But in linux 2.4 you don't need it any more because you can just say, "If I'm masquarading a packet then it would come from outside and it would pass through my computer with out stopping so I can just filter those types of packets."
So in the end rewriting it from scratch not only adds cool features but makes it easier to write kernel code because you don't have to edit as many files and the code is cleaner. It provides a simple abstraction so life is easier for users. And kernel hackers can be lazier because because they don't need to code ip masquarading as a seperate feature. I think laziness is something we all can appreciate.
Re:Win2K? (Score:2)
The Windows kernel supports things like antialiased fonts and drop-shadows on mouse-pointers... iptables is nothing compared to such advanced technology.
You Unix people read too much, that's old-fashioned. Try clicking on something once in a while and you'll see that clicking on things is the future of computing.
That and sound effects.
"Oh twap!"
Re:Typical ignorant American (Score:2)
No it's not typical... but there are a lot of ignorant rednecks here in the U.S. Just like any other country. It's not like human nature makes sudden dramatic shifts when crossing artificial borders.
More than likely it's just some kid trying to get a rise out of you. The question is, why did it strike such a nerve with you? Why the hostility directed at U.S. citizens rather than ignorant and hateful human beings in general?
The U.S. governments do not place any blame on minorities, a public official who said any such thing would likely be canned within the week. Racists who do blame minorities for their problems are unfortunately common, but not generally in the majority (depending on where you live).
The U.S. is just like anywhere else, mostly normal people trying to get by, raise some kids and be happy... I think you're as guilty of prejudice and ignorance as the poster to whom you were responding.
"Oh twap!"
Re:Transparent Proxies aren't such a Good Thing (Score:2)
Though not so clever if they decide to do the same thing with HTTPS. Also there can be problems with stale data being cached.
Re:Transparent Proxies aren't such a Good Thing (Score:2)
Two different protocols, with different side effects. The obvious side effects with SMTP would be additional headers appearing in emails and a loss of the redundancy RFC 974 provides.
Re:Good Point. (Score:2)
What you are missing is that the ROM is actually separate from the ethernet chip. This is rather more obvious on an older card. The only connection between what is in the ROM and the ethernet hardware is the driver. Even if the ethernet chip generates the souce MAC address all it has to go on is what is in it's own registers.
Re:MAC filters (Score:2)
Well the obvious jumpers to pull would be those where you have no light on the hub/switch to indicate there is anything at the other end
Re:Remasqing Packets (Score:2)
Starcraft on the other hand uses a peer/servant networking paradigm. The reason for this is so: A hosts a game. B and C join the game. A dies. The game must continue so that B and C can continue to fight each other even if A's machine is powered off. In a pure client/server model- the game is over when A quits. In starcraft, ever computer is an equal, so B and C are both clients and servers= the game goes on.
Re:Not Invented Here (Score:2)
If you meant that ipf can be used as a transparent firewall on a bridging box, then yes, it can do that.
Re:Then where are the SPECweb benchmarks for BSD? (Score:2)
Re:Then where are the SPECweb benchmarks for BSD? (Score:2)
So we can't easily take [filesystem_here] out of the kernel and expect reasonable results. But, we can and do implement a webserver in userland.
Tell me- would you like apache to run as root, keep root, and have full access to your hardware? That's what you're doing with TUX.