Firewall / active filter question
Jeremy Fowler
jfowler at westrope.com
Fri Dec 13 18:53:32 CST 2002
...and for the nth time. Yes, Iptables is Statefull when using the state module.
There are several options that you can use: NEW, ESTABLISHED, RELATED and
INVALID. The first three are self explanatory, INVALID is interesting it's used
when:
"A packet which could not be identified for some reason: this includes running
out of memory and ICMP errors which don't correspond to any known connection.
Generally these packets should be dropped."
example:
# Drop all INVALID packets
iptables -A INPUT -m state --state INVALID -j DROP
# Accept all ESTABLISHED and RELATED packets
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Remember you have to write the state rules or it won't work. Also make sure you
write state rules for your INPUT, OUTPUT, and FORWARD chains. It's a good idea
to block all NEW state packets except for those ports that you use.
> -----Original Message-----
> From: owner-kclug at marauder.illiana.net
> [mailto:owner-kclug at marauder.illiana.net]On Behalf Of Jared Smith
> Sent: Friday, December 13, 2002 11:04 AM
> To: kclug at kclug.org
> Subject: Firewall / active filter question
>
>
> I don't know much about firewalls, so forgive me
> if I'm suggesting something that already exists or
> is not technically possible.
>
> As I understand firewalls, they block all ports
> except those specifically opened, and they forward
> IPs to internal addresses, therefore masking
> what's happening on the inside of the network.
>
> This is passive. What I lay awake last night
> thinking was, what about filtering in an active
> manner? With an active filter, the only packets
> acceptible are those which have been specifically
> requested. You'd have a buffer which kept track of
> all outgoing requests, and waited for a few minutes
> to receive them. Everything else would be rejected.
>
> Seems like this would make it impossible for people
> to hack in, unless they were actively monitoring
> outgoing packets. While this wouldn't work for a
> server (which needs to accept arbitrary hits), it
> would work for a surfer.
>
> Does this already exist?
>
> -Jared
>
>
>
>
>
>
>
More information about the Kclug
mailing list