Re: Netfilter

From: michael (mutk@spamcop.net)
Date: 06/22/02


From: michael <mutk@spamcop.net>
Date: Sat, 22 Jun 2002 23:29:11 +1000

You asked this on the netfilter users list and got good replies...It
looks a little like trolling...

Anyway, here is another one:

No, netfilter is *just* a packet filter, although a little more clever
as far as state is concerned. It does not inspect the packets at any
layer further up than IP/socket.

Yes there is a way you can tweak it, by doing your own module to
inspect packets for valid http etc...

Look at the Linux Doc Project for Howto's like "Netfilter Hacking Howto".

Cheers,
Michael

Krish Ahya wrote:
> I'm wondering about Netfilter (aka. iptables) the standard stateful firewall
> that comes w/ Linux. Say if I have a dmz and allow people to come into a
> server on port 80, will netfilter inspect the packet on all 7 layers of the
> OSI model and make sure that it is actually a http packet and following the
> rules and protocol specifications of http? Sorta like checkpoints INSPECT
> module. If not, is there anyway I can "tweak" it to do that?
>
> Thanks.
>
> - Krish, CCNP
>
> --
> ~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~
> I have not failed 10,000 times, I have sucessfully found 10,000 ways that
> won't work." -- Thomas A. Edison
>
>



Relevant Pages

  • If you didnt believe in strict OUTPUT filtering
    ... Linux Netfilter NAT/ICMP code information leak ... first packet of a connection is hitting a NAT rule, ... They are working on a new patch. ...
    (comp.os.linux.security)
  • Re: Netfilter
    ... No, netfilter is *just* a packet filter, although a little more clever ... inspect packets for valid http etc... ... Krish Ahya wrote: ...
    (comp.security.unix)
  • [CARTSA-20020402] Linux Netfilter NAT/ICMP code information leak
    ... Linux Netfilter NAT/ICMP code information leak ... The following bug exists in the netfilter NAT implementation: ... first packet of a connection is hitting a NAT rule, ... The netfilter team has solved this bug with a patch that has been refused ...
    (Bugtraq)
  • Re: Netfilter
    ... > I'm wondering about Netfilter the standard stateful firewall ... will netfilter inspect the packet on all 7 layers of the ... Krish - this is now a FAQ (and I guess it needs to be a part ... Kernel packet filtering doesn't give a whit about the ...
    (comp.os.linux.security)
  • Re: Netfilter
    ... > I'm wondering about Netfilter the standard stateful firewall ... will netfilter inspect the packet on all 7 layers of the ... Krish - this is now a FAQ (and I guess it needs to be a part ... Kernel packet filtering doesn't give a whit about the ...
    (comp.os.linux.security)