Re: Netfilter

From: Ian Jones (roux@attbi.com)
Date: 06/22/02


From: Ian Jones <roux@attbi.com>
Date: Sat, 22 Jun 2002 03:21:57 GMT


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

"Krish Ahya" <Krish@houston.rr.com> writes:

> I'm wondering about Netfilter (aka. iptables) the standard stateful firewall
> that comes w/ Linux. Say if I have a dmz and allow people to come into a
> server on port 80, will netfilter inspect the packet on all 7 layers of the
> OSI model and make sure that it is actually a http packet and following the
> rules and protocol specifications of http? Sorta like checkpoints INSPECT
> module. If not, is there anyway I can "tweak" it to do that?

Welcome to the group and congrats on putting together such a
STUPID-ASSED question. I am not familiar with *any* single collection
of code which will involve itself with all seven layers of the
_theoretical_ OS-freakin-I model.

Come on, Krish - this is now a FAQ (and I guess it needs to be a part
of our FAQ now). Kernel packet filtering doesn't give a whit about the
application. You do not want your kernel bogged down doing application
level filtering.

-----BEGIN PGP SIGNATURE-----
Comment: Keeping the world safe for geeks.

iD8DBQE9E+newBVKl/Nci0oRAkf6AJwKUGXabn3phEggN+lAkcIhijqVewCgzc8i
LYvVM9DIr42nfowFfBZubXo=
=IrEF
-----END PGP SIGNATURE-----



Relevant Pages

  • Re: Netfilter
    ... > I'm wondering about Netfilter the standard stateful firewall ... will netfilter inspect the packet on all 7 layers of the ... Krish - this is now a FAQ (and I guess it needs to be a part ... Kernel packet filtering doesn't give a whit about the ...
    (comp.os.linux.security)
  • If you didnt believe in strict OUTPUT filtering
    ... Linux Netfilter NAT/ICMP code information leak ... first packet of a connection is hitting a NAT rule, ... They are working on a new patch. ...
    (comp.os.linux.security)
  • [CARTSA-20020402] Linux Netfilter NAT/ICMP code information leak
    ... Linux Netfilter NAT/ICMP code information leak ... The following bug exists in the netfilter NAT implementation: ... first packet of a connection is hitting a NAT rule, ... The netfilter team has solved this bug with a patch that has been refused ...
    (Bugtraq)
  • Re: Netfilter
    ... > I'm wondering about Netfilter the standard stateful firewall ... will netfilter inspect the packet on all 7 layers of the ... > OSI model and make sure that it is actually a http packet and following the ... > rules and protocol specifications of http? ...
    (comp.os.linux.security)
  • Re: Netfilter
    ... > I'm wondering about Netfilter the standard stateful firewall ... will netfilter inspect the packet on all 7 layers of the ... > OSI model and make sure that it is actually a http packet and following the ... > rules and protocol specifications of http? ...
    (comp.os.linux.security)