Re: Netfilter

From: michael (
Date: 06/22/02

From: michael <>
Date: Sat, 22 Jun 2002 23:29:11 +1000

You asked this on the netfilter users list and got good replies...It
looks a little like trolling...

Anyway, here is another one:

No, netfilter is *just* a packet filter, although a little more clever
as far as state is concerned. It does not inspect the packets at any
layer further up than IP/socket.

Yes there is a way you can tweak it, by doing your own module to
inspect packets for valid http etc...

Look at the Linux Doc Project for Howto's like "Netfilter Hacking Howto".


Krish Ahya wrote:
> I'm wondering about Netfilter (aka. iptables) the standard stateful firewall
> that comes w/ Linux. Say if I have a dmz and allow people to come into a
> server on port 80, will netfilter inspect the packet on all 7 layers of the
> OSI model and make sure that it is actually a http packet and following the
> rules and protocol specifications of http? Sorta like checkpoints INSPECT
> module. If not, is there anyway I can "tweak" it to do that?
> Thanks.
> - Krish, CCNP
> --
> ~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~
> I have not failed 10,000 times, I have sucessfully found 10,000 ways that
> won't work." -- Thomas A. Edison