Why iptables (Linux 2.4 Firewalling) Rocks

Jay writes: "There's a story on Linux 2.4's new Stateful firewalling. Rusty and friends have vastly improved Linux capabilities, allowing it to filter against many stealth scans and DoS attacks. Their code rewrite brings powerful "stateful" firewalling that was originally impossible under Linux. The muchly improved packet mangling allows not only better transparent proxies, but load-sharing clusters and stuff. Actually, the coolest thing about the new architecture is that it's designed so anybody can add filtering methods, for stuff like rate limiting and MAC address-based filtering."

MAC filters

[bluelip]

This is the greatest benefit to me. We have tons of open RJ45 jacks around that anyone can plug into and siphon off data from the inside of our filrewall. Now we can track down to the mac address, this should make it much simpler to place a stronger secondary wall around the more sensitive servers.

On a side note, is there any downfall to this?

Re:MAC filters

[crow]

This just requires that the person inside your building be a little smarter. MAC addresses can be changed, so all that is required is to wait until a trusted box goes offline, and then just borrow its MAC address.

Of course, this eliminates a good portion of those who would try to hack in. Just don't rely on it to be fool-proof.

I was always tempted to use a laptop running Linux to spoof one of the main campus Unix systems at Dartmouth when it went down for backups, but never did. (I think they had some public systems on the same subnet as the machine room.)

Re:MAC filters

[Cato]

The real solution to open ethernet ports is to use authenticated VLANs - require the workstation user to authenticate before being put into a suitable VLAN, and just ignore the MAC address.

Re:MAC filters

[blixel]

We have tons of open RJ45 jacks around that anyone can plug into...

Why not go to the wiring closet and remove the jumper cable between the patch panel to your switch/hub on those ununsed ports?

Re:MAC filters

[bluelip]

Prior "wire techs" labelled nothing. It would be a month long job to figure out. We do clean it up as we upgrade though.

Re:MAC filters

[Incongruity]

Here's a rare slashdot post...(and a rare post for myself) I actually admit my ignorance here...

How can MAC addresses be changed? I've heard of this before, but I've never heard how and I suppose I am one of these people that just needs to understand things... so if anyone could fill me/us in that'd be informative!

-inco

Re:MAC filters

[Kazymyr]

Actually, the hardware MAC address, as it exists on the card, never changes - what changes is the way the OS (Linux in this case) reports it to the outside. For details "man ifconfig", option "hw". Most drivers I know support it, and it's trivial to do.

Re:MAC filters

[bolind]

AFAIK it is possible to change a cards MAC address (this is used in redundancy servers, where, if a server goes down, a backup server takes over with the same MAC address.) but doesn't this also flip a "my-MAC-is-changed" bit somewhere?

Think I read about something like that...?

Bo

Re:MAC filters

[Yokaze]

The MAC address can be set by software. Any hardware solution is more expensive.
Some cards even explicitly give you the option to change it (although they shouldn't).

The MAC address is part of the lowest and therefore hardware level of the ethernet.

Normally, a ethernet-adapter filters any packages which are not targeted for its MAC address(although even this behaviour can be altered).
Furthermore, any package send contains the MAC address of the sender. This all happens in hardware and is the ethernet-protocol.

The change of the MAC address in the OS should only affect the ARP request, which translate an IP-address into a MAC-address.

Re:MAC filters

[Yokaze]

The downfall of this is that you think that you have a secure system.

This sounds like you not only have tons of open jacks, but even don't have a decently configured switch, which filters packets based on MAC and RJ45-port.

One can plug into your net,...
... switch the card into promiscous mode, and sniff all data (sniffing),
... arp two clients and pretend to be the other one (spoofing),
and perpetrate almost any other malicous deed out of the textbook of hacking?

Re:MAC filters

[DeanT]

Prior "wire techs" labelled nothing. It would be a month long job to figure out. We do clean it up as we upgrade though

In our building we just yank all the patch cables out of the patch panel which don't have a sync light. (I.e. no computer connected) Then go back and plug the complainers back in... ;)

Re:MAC filters

[macdaddy]

You should probably turn off each unused port. This could easily be done remotely if the device it managable (who would want to buy one that isn't nowadays?). Either use the command line, snmpset OperStatus on that port to off, or pick up a GUI tool that does it for you. Good luck!

PS==> You could always put signs above the ports that are not supposed to be used that says something like "DO NOT under ANY circumstances use this port!". Then you just hook up good ole 110v to the other end and wait for the fireworks! :-)

--

Re:MAC filters

[flynn_nrg]

You don't need to, just set local macaddress variable in the OBP and you are done, this is how most large jumpstart installs work, and also how Sun Screen HA Clustered firewalls are set.

Re:MAC filters

[mpe]

Prior "wire techs" labelled nothing. It would be a month long job to figure out. We do clean it up as we upgrade though.

Well the obvious jumpers to pull would be those where you have no light on the hub/switch to indicate there is anything at the other end :)

Re:MAC filters

[shogun]

And then field all the 'my network isn't working' call from people whose machines happened to be off at that the time you pulled the 'unused' connections.

If this is so great...

[maroberts]

..why do the authors not want to put this on their mainstream systems to keep all the nasty script kiddies out ?

Sounds like they're choosing to keep a firewall full of holes just because its stable(r). However if someone breaks in, what price stability ?

Re:If this is so great...

[yamla]

And what price security if your firewall doesn't stay up long enough to provide it?

As always, a series of tradeoffs.

Transparent Proxies aren't such a Good Thing

[mnot]

Inserting a proxy when the client doesn't have knowledge isn't something to be proud of; it breaks browsers, violates the end-to-end principle at the IP layer, and brings some serious privacy/data integrity problems to light.

Re:Transparent Proxies aren't such a Good Thing

[jmcneill]

Transparent proxying with HTTP can be quite useful as well. Think of this: you are an ISP, your only uplink is a satellite connection with high latency. Using a transparent proxy to cache web pages will help a LOT in a situation like this.

Re:Transparent Proxies aren't such a Good Thing

[blooher]

> violates the end-to-end principle at the IP layer,

I think you mean at the TCP layer. IP is not end-to-end.

Re:Transparent Proxies aren't such a Good Thing

[mpe]

Think of this: you are an ISP, your only uplink is a satellite connection with high latency. Using a transparent proxy to cache web pages will help a LOT in a situation like this.

Though not so clever if they decide to do the same thing with HTTPS. Also there can be problems with stale data being cached.

Re:Transparent Proxies aren't such a Good Thing

[mpe]

people use transparent proxies on other protocols (smtp, nntp) without any problems/side effects.

Two different protocols, with different side effects. The obvious side effects with SMTP would be additional headers appearing in emails and a loss of the redundancy RFC 974 provides.

Re:Transparent Proxies aren't such a Good Thing

[LarsG]

Also there can be problems with stale data being cached.

Then the proxy or the webserver is broken.

HTTP allows the webserver to say "don't cache this", and webproxies that don't honour that are seriously broken.

Re:Way to catch up guys

[BdosError]

At the least, one would hope that they would have acknowledged the other open source solution that provides this: BSD (Open BSD for sure, I'm not positive about others).
"Building Linux and OpenBSD Firewalls" by Wes Sonnenreich, Tom Yates is a good resource that explains all this.

BdosError

iptables-save

[ahknight]

...all of which is useless to me until iptables-save can do it IN ORDER. Geez...
--

Re:iptables-save

[Chang]

I agree this is currently a pain in the ass but it's not like you spent a ton on money on iptables and iptables-save will be working sooner or later.

Why not just say thanks?

(I'm currently using iptables for a low end firewall and am looking forward to replacing some checkpoint fw-1 as soon as the user space stuff is a little more mature)

Re:iptables-save

[Styx]

Have you considered either:
writing your own iptables-save (I did it for ipfw, how hard can it be?)
or just loading your iptables configuration from a simple shell-script, change the script and reload the rules when you want to change them.

Stateful firewalling.

[fantom_winter]

This sounds like a very interesting idea, but it also makes me wonder about the computational resources a system like this would require, as well as the complexity of the grammar that represents it.

As it stands now (or previously... in ipchains), rules were defined in a way that could be reduced to a regular expression, which as everyone knows are fast and don't require a stack to interpret.

However, as soon as you introduce "state" into a grammar, you require of yourself a stack, which means that additional memory is going to be needed to store these values to aid in parsing the grammar.

This doesn't sound too bad, even though it may slow the process of packet interpretation, but it seems like there still would be a signifigant performance hit on busy servers.

Also, since these rules have state, I wonder if there will be ways send packets that will cause something similar to a stack overflow (infinite recursion) by sending it a quasi-infite series of packets.

(Imaging sending a C++ compiler the following ..

[I can't send what I want, a string of open parens, so this will have to suffice. /. lameness filter]

String= (*

Eventually there will be a stack overflow from all the parens.

Re:Stateful firewalling.

How important the computational time is will depend upon how fast it has to be. If you're firewalling a 1Mbps Internet link, there are many nanoseconds between packets. With 1KB per packet, there are only 100 packets per second at most (1Mbps/1Kbps/10bits-per-byte). Not much computer time is needed for this type of processing.

(anonymous to avoid giving info about my network)

Re:Stateful firewalling.

[tortap-0]

I found the article very informative and they mentioned this. Sure enough a stateful firewall will eat up memory but you have a stateless firewall in front to get rid of most of the flak, thus making the stateful firewalls job easier but maintaining flexibility. And it should be better at preventing dos attacks.
Anyway the same goes for other stateful firewalls so if a linux box doesn't cut it for a large company they still have their expensive proprietary solutions, but for a nice home firewall this rox.

Re:Stateful firewalling.

[garett_spencley]

on gcc 2.95.2 exactly 9988 '(' are allowed in a statement.Any more will produce a stack overflow.

Okay I have way too much time on my hand.

--
Garett

Re:Stateful firewalling.

[Pinball+Wizard]

I've been using stateful firewalling(with an OpenBSD box) for quite some time now. A PII for this system is overkill for a firewall absorbing ~100000 hits daily with ~100 hosts behind it.

You should also consider that your firewall should be just that, and nothing else. No X, no Apache, no extraneous servers that don't need to be running on that particular machine.

YMMV - but a firewall, even one that keeps state, is not an especially computationally intense undertaking.

Re:Stateful firewalling.

It doesn't a huge amount of CPU (relative to what availble in most systems) to do stateful packet inspection. A lot of commericial firewalls do it with a 233mhz StrongARM cpu. That amount of CPU is enough to support lots of users behind it (in my experience) And thats not to mention that the same box is doing http content filtering also :)

iptables/ipchains syntax

[FiDooDa]

Someone will have to explain to me why they keep up with the cryptic syntax. That's one of the reasons why i switched to ipf (OpenBSD) some time ago.

Now both (iptables, ipf) have states. Can someone infom me about the advantage of iptables over ipf?

---------------------------
"What is the most effective Windows NT remote management tool?

Re:iptables/ipchains syntax

[greebly]

I think I can sum up the one and only advantage (if you can call it that) that iptables has over ipf (aka ipfilter) in one short sentence...

You can run iptables in Linux.

Linux has its uses, don't get me wrong, but I'll take an OpenBSD firewall over any Linux firewall, regardless of which distro, or firewalling software it runs. The TCP stack in the BSDs is much more robust than the Linux stack, and its just plain faster.

Don't belive me? That's fine, but don't go flaming me unless you have actually used both Linux and *BSD firewalls extensively.


9 little greeblys sitting on a plate...

Re:iptables/ipchains syntax

[drift+factor]

I think I can sum up the one and only advantage (if you can call it that) that iptables has over ipf (aka ipfilter) in one short sentence...

You can run iptables in Linux.

Actually, non-glibc Linux 2.0.x kernels can use ipfilter as a kernel module.

Linux has its uses, don't get me wrong, but I'll take an OpenBSD firewall over any Linux firewall, regardless of which distro, or firewalling software it runs.

I completely agree, ipfilter has done stateful firewalling for a long time now, where Linux has just added it. I'll take the more tested codebase any day, it's only logical.

Re:iptables/ipchains syntax

[Azog]

What you said may very well be true for OpenBSD vs. Linux 2.2.x.

I don't think Linux 2.4.x has been out there long enough for anyone to be making absolute statements about which TCP stack is more robust or fast... but remember, the Linux 2.4 TCP/IP was specifically rewritten to be very fast and highly deserialized (i.e. SMP-capable) so even if [Open,Free]BSD TCP/IP was faster and better, it might not be now.

Especially on SMP hardware, which current BSD's don't support. And even though I'm not flaming you, I should mention that I have used both Linux and BSD for firewalls. Currently my firewall is OpenBSD, and I'm not in any rush to change it - not much need for speed on a DSL connection.


Torrey Hoffman (Azog)

Re:iptables/ipchains syntax

[AtrN]

No SMP support. Huh?

# dmesg
...
FreeBSD/SMP: Multiprocessor motherboard
cpu0 (BSP): apic id: 1, version: 0x00040011, at 0xfee00000
cpu1 (AP): apic id: 0, version: 0x00040011, at 0xfee00000

Re:iptables/ipchains syntax

[deKernel]

"cumbersome BSD licensing ponzi scheme.." ????

Exactly what orifice is your head in? I am just curious? Last time I checked, the BSD license is much less restrictive.

Re:iptables/ipchains syntax

[MarNuke]

I think I can sum up the one and only advantage (if you can call it that) that iptables has over ipf (aka ipfilter) in one short sentence...

You can run iptables in Linux.

wow. I guess I should toss my BSD setup and go with iptables. Hmm. Of course with iptables I spend more time trying to figure out the damn flags then writing the rules. Here look at this:

Most people just have a single PPP connection to the Internet, and don't want anyone coming back into their network, or the firewall:

The ipfilter way:

block in quick on tun0 all head 1
block out quick on tun0 all head 11
pass on tun0 from any to any keep state group 1

And with iptables it's...

insmod ip_conntrack
insmod ip_conntrack_ftp
iptables -N block
iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A block -m state --state NEW -i ! ppp0 -j ACCEPT
iptables -A block -j DROP
iptables -A INPUT -j block
iptables -A FORWARD -j block

Which one is easiest to read?

Please correct me if I'm wrong...

Re:iptables/ipchains syntax

[slamb]

I'd say the iptables way is easier to understand, for a couple reasons:

• ipfilter has a "quick" flag to block and pass. If it is set, packets immediately do that action. If it is not, it sets a flag...the next rule down could reverse it. iptables is more simple; effectively the same as ipfilter with everything quick. In my opinion, simplicity is very important for a firewall, since you really don't want your firewall admin to be confused about what's really happening. (I do realize that an ipf admin could use the quick keyword on everything if (s)he wanted to. I still think it should always be this way, since it's easy to miss.)
• The ipfilter "keep state" bypasses all normal firewall rules; there's an implicit allow to everything with state associated with it. iptables requires you to specify the rule accepting things with state information. This is much more clear, at least to me. Again...you don't want confused firewall admins. I like seeing everything that happens. Hidden rules scare me.

You posted this setup:

block in quick on tun0 all head 1
block out quick on tun0 all head 11
pass on tun0 from any to any keep state group 1

From my memory (I have set up ipf on an OpenBSD machine, but it's been a while) and the ipf(5) manpage, that does this:

• packets with state information pass through
• new packets coming IN to the machine from ipf set up new state information, but the lead packet is rejected
• all new packets going OUT of the machine are rejected

I think what you meant to say was this...

pass out quick on tun0 all keep state
block in quick on tun0 all

Which looks very, very simple. But remember...it has a hidden rule. I don't like that.

The iptables setup is very clear, at least to me. You accept packets that are part of or related to established connections. (The ip_conntrack_ftp line and the RELATED keyword are options that do not exist in ipf, so they don't complicate it. To do a true comparison of the same firewall, you should take them out.) You also accept new packets that don't come from the ppp interface. I imagine this is more in line with what you wanted.

The one that is easiest to read is not necessarily the one with the fewest number of lines. ipfilter has a more complex grammar but AFAIK doesn't support any more capabilities.

Re:iptables/ipchains syntax

[Tuzanor]

how wrong YOU are. freeBSD has SMP, although it is primitive compared to linux.

Re:iptables/ipchains syntax

[MarNuke]

all the damn -P -l -s -d -p shit!

Of course, to a perl guy it easy to read, but for someone that can't stand to look at perl it's bitch

Win2K?

[Fervent]

I know that several hundred people hate me for asking this stuff, but I've got to ask anyway: can this be done in Win2K? Would it require a download, like IPv6 on Microsoft's web site, or is it just not possible.

It'd be cool to filter out junk on my Apache/Win2K box. :)

-
-Be a man. Insult me without using an AC.

Re:Win2K?

[silvershadow]

I don't know that you could filter the stuff, but you could at least log it using Snort Win-32.

Re:Win2K?

[Fervent]

Har-de-har-har. Someone mod this bitch up. He wins the prize.

-
-Be a man. Insult me without using an AC.

Re:Win2K?

[andyf]

Win2K itself doesn't have such fancy features. But you can pick up something like Checkpoint Firewall-1 that provides a very nice firewall for NT or 2000. The ISP I work for when I'm not at college uses it, and works surprisingly well. In fact, it uses a GUI (which helps for the CLI-impared.) And it works a lot better than some of the other stuff they run on 2000 (namely DNS and mail, which tend to choke on themselves daily at least -- Microsoft gave them free copies of 2000 to keep them from using Solaris, basically).

Re:Win2K?

[Cato]

A serious answer for once - just buy Checkpoint's Firewall-1 (they popularised stateful inspection). Quite expensive, licensed per host behind the firewall, and not peer reviewed like Linux or BSD firewalling, but pretty popular.

Re:Win2K?

Yes, you can do this with Win2K:

1. install Win2K in its most secure mode
2. hook it to the Internet
3. wait 3-4 hours
4. at this point, the system should have been hacked by at least five 13 year olds, and one of them has formatted your hard disk, and installed Linux for you
5. login (root, password is 1337)
6. man iptables

Re:Win2K?

[jamesbulman]

What kind of moron moderates this as funny? The poster asked a genuine question in search of a genuine answer, not some pointless linux fud masquerading as humour.

Re:Win2K?

[starman97]

Why not, NT is pretty secure since it doesnt support many services, no telnet, no DNS, no finger, no BIND, no SMTP, etc...

I've been running a NT box as a webserver for years, sure I see people trying to log into the (NT) Domain, but they dont get in. Never had anyone get into the machine. Now, uptime is another story altogether. But it's secure, even if it does have to be rebooted twice a week.

Re:Win2K?

[codingOgre]

Hey, just let me know the next time you want the machine rebooted and I'll save you the trouble of walking down to the data center. :^)

Re:Win2K?

[codingOgre]

> Microsoft gave them free copies of 2000 to keep them from using Solaris, basically

??? Solaris x86 is free!

Re:Win2K?

[Ed+Random]

You can try MS ISA Server for a while (trial version is downloadable). I've played with it, and it seems to contain a nice packet filter.

But for production, I'd rather use a proven (and free!) solution such as FreeBSD, Linux or OpenBSD.

Gxis!
Ed.

Re:Win2K?

[GypC]

The Windows kernel supports things like antialiased fonts and drop-shadows on mouse-pointers... iptables is nothing compared to such advanced technology.

You Unix people read too much, that's old-fashioned. Try clicking on something once in a while and you'll see that clicking on things is the future of computing.

That and sound effects.

"Oh twap!"

Re:Win2K?

[whydna]

Sun was handing out copies at ALS in october. It was like a 6-disc set. Pretty nice... I'd imagine that it's free (or perhaps s&h only...)

-andy

Re:DIE JON KATZ

[rk+simms]

I don't believe the book was intended to be eaten. Although, I had a cousin who would eat books.
---

Oh yeah? Where's the journaling filesystem or SMP?

[emil]

Each has their strong points. Why not be a little more optimistic about what each can achieve?

Re:Way to catch up guys

[Marasmus]

Yep, OpenBSD has a very thorough out-of-the-box NAT firewalling solution. It's extremely powerful (and in my experience far superior to linux 2.2 ipmasq)... I use it at home and work with OLD Sparcs (25-40mhz) and still achieve near 10mbps on all 10mbps interfaces.

Iptables under the 2.4 kernel has impressed me. I use it for a test lab at work, and the first thing I noticed was that it allows active FTP through its implementation of NAT. It's probably due to some funky extension they've added to FTP standards, i'm not sure, nor good enough of a programmer to figure it out from the code... Nonetheless, they've finally made a decent product that starts comparing to the cleanliness and quality of BSD's NAT.

The other BSDs also use the same BSD NAT, however, my last experience of using NAT on FreeBSD (back on 3.3) was that it was quite erratic in behavior compared to the same setup using OpenBSD. I might have been royally screwing something up, too :)

Re:Way to catch up guys

[Meech]

Spoken like someone who has their network certification at a night tech school based out of someone's garage.

Grow up....

sure one can purchase a "pre-made" firewall, but to have a computer running Linux gives Administrators more options when working in companies that work with budgets...

Linux And Commercial Firewall Packages

[CyberKnet]

I havent used linux firewalling since the days of ipfwadm, but from what I see here, iptables has some rather extreme leaps here, the likes of which have usually only been seen in commercial firewall packages. What I want to know though, is exactly how *does* this compare to commercial firewall packages, inparticular: Checkpoint Firewall1

---

Re:Linux And Commercial Firewall Packages

[rasjani]

Personally i dont know absolutely anything about commercial firewalls except some cheap soho fw's that ive tested but i remember reading just few days ago from /. comments that Nokia's Firewall-1 solutions are based on linux os and some hardware... This was mentioned in Nokia's mediaterminal thread.

Btw, i dont know if it's really known outside finland but Nokia started it's "Empire" in finland by manufacturing RUBBER BOOTS. I think they still do but businesses have been seperated to different companies ;)
--

Re:Linux And Commercial Firewall Packages

[tweek]

Actually the nokia boxen run freebsd. Just thought I'd interject that.

Re:Linux And Commercial Firewall Packages

[Chang]

My Nokia box is running BSDi

Re:Linux And Commercial Firewall Packages

[GoetheJF]

Nope, they DO NOT RUN freebsd. They are runnning something completely own. As far as I know it has its Origins in FreeBSD, but they rewrote it and only took some core- programms like "ls" and so on. The NOKIA advantage is that they perform considerably better than SUN and come as kinda "plug & play".

IPFiter + Dummy NET

[keepper]

Oh wait, this is linux, you guys are playing catch up... :-P...

But seriously, any more questions on the maturity/performance of the BSD's networking code? this stuff has been posible for AGES...

A Question -- Can it allow Win2k VPN?

[tony+clifton]

I use ipchains w/ masquerading on my 2.2 linux box to implement NAT and allow the internal network to see the outside world -- allowing only packets with the SYN bit set back in.

This works fine for web and ssh and outgoing mail and dns and all -- but not when I need to use Win2k's VPN client to establish a tunnel -- my understanding is that the VPN server tries to establish a connection back (expecting to hit Win2k, but hitting to the linux box) which is refused.

How can I configure IPTables so I can tunnel and stay firewalled?

Re:A Question -- Can it allow Win2k VPN?

[Mr.Phil]

you would need to forward ports, and as far as I know, autofw doesn't work with 2.4

in 2.2 you would use ipmasqadm to forward the ports back from public to private

Re:A Question -- Can it allow Win2k VPN?

[GeekBoy]

I believe you need to use ipsec for that.
If you have it compiled as a module just insert it. I haven't tried it myself though so I couldn't
say if it works. Last I remember seeing it was
labelled experimental.
*********************************** *********

Re:A Question -- Can it allow Win2k VPN?

[PhilBrut]

You're getting bit by the fact that there's more to MS PPTP than meets the eye - the tunnel itself is actually a GRE tunnel with some funky MS-proprietary encryption, with a control connection at 1723/tcp (or something like that).

It can be done, but a 2.2 kernel needs to be patched to do it. I've not tried it, but the 2.4 kernel should allow you to "port-forward" the tcp connection and the GRE tunnel back to the Win2k system.

Just keep in mind that there's no connection tracking, so it has to be the same Windows system making the VPN each and every time, and one and only one VPN can be going at any one time.

Re:A Question -- Can it allow Win2k VPN?

[tzanger]

It can be done, but a 2.2 kernel needs to be patched to do it. I've not tried it, but the 2.4 kernel should allow you to "port-forward" the tcp connection and the GRE tunnel back to the Win2k system.

Interesting. I avoided that whole mess by putting the pptpd server on my firewall and having the sales critters either dial into modems on the firewall itself (800 #) or through their favourite ISP.

It's been a while since I've tried it but I believe that I can establish a VPN connection with the office from my system at home, which goes through a 2.2 firewall. (80386DX33 named pokey :-)

Do you have any links to the patches and whatnot? pppd was the hardest to do in my setup, as it needed MPPE patches and stateless patches to the MPPE patch and so on and so on. It does work remarkably well and is more secure than having NT do the server end (it rejects MSCHAPV1 requests)

Re:A Question -- Can it allow Win2k VPN?

[Chang]

Using 2.2 and ipchains, this was possible just by loading the ip_masq_pptp module. I know this was included in the standard RH7 setup. The module is also an option in the 2.2.18 stock kernel.

Under iptables/kernel 2.4.0, I didn't load a specific pptp module, but it just works. IPsec tunnel mode also works (All praise the iptables crew)

Re:A Question -- Can it allow Win2k VPN?

[Nothinman]

I believe the patches at the Linux VPN Masq page are supposed to work with PPTP, I know I've used it to establish an IPSec VPN with the client behind a NAT box.

Don't know if it works with iptables or not.
--

Re:Ahem..

[keepper]

and of course, it will very useful for the script kiddie that used the root toolkit of the day to take over your machine....

Why it really rocks!

[Ex+Machina]

/usr/local/bin/iptables -A OUTPUT -d 209.242.124.241 -j REJECT It makes reading slashdot so much easier on the eyes. (Don't click!)

Re:Why it really rocks!

[cloudmaster]

Yeah, but only if you're reading slashdot from your firewall host (the OUTPUT chain only filters locally generated packets)...

Re:Why it really rocks!

[Bill+Currie]

Hehe. ever since that crap started up, I've checked urls in /. comments by waving my mouse over it (and then disabled javascript when that mouse-over hack started, but it didn't last long:). But yes, this sort of things is very good. eg, put doubleclick's network in there instead :)

Bill - aka taniwha
--

Re:Why it really rocks!

[Tuzanor]

Be carefull when blocking whole domains. While burning goatse.cx's IP through your firewall would probably cause you little in the way of pain, you may want to check out what other services run on certain IPs. I've accidently banned everything from Yahoo! to red hat's site because one of the smaller sites under their wings were cracked and i was recieving junk mail through the roof.

Re:Why it really rocks!

[shogun]

Well I never have, seems the trolls have moderator access today and dont want people to be able to block goatse.cx and have brought it back down to +3... ;[

Re:Oh yeah? Where's the journaling filesystem or S

[CyberKnet]

And so when you finally do get SMP, we will rain all over your parade, proclaiming:

"That's a great way to make yourself look good. Go from crappy to average, and have the press all over you. Meanwhile, Linux has been doing it all along.."

Not everything done well is revolutionary, but just because it has been done before doesnt make it easier when someone else does it. Sure they *could* have used BSDs ipf. But they didnt. They did it their own way, and it was hard. Just acknowledge the effort. THAT isnt hard. Why not just be happy that there is one less crappy TCP firewalling mechanism in the world. Ever heard of a pat on the back and say "Well done".


---

How does this compare with FreeBSD?

[drenehtsral]

These are neat features, just when i was thinking of replacing my linux masq box with a FreeBSD box to use it's spiffier NAT support and all that good stuff, this looks like it takes care of that. I may still do it for security though...

Now: Does anybody here know offhand if the packet filtering support in FreeBSD supports these features? (stateful ftp support, DNS probe rejection, etc...?) i know it has rate-limiting to make DOS attacks not work as well...

Thanks

Re:How does this compare with FreeBSD?

[keepper]

Yes, it has been supporting these for a lont time, so it is a mor emature solution.

stateful inspection (ipf) and rate limiting (dummy net thru ipfw).

ratelimiting agains't many DoS type attacks is actually built into the default kernel.

Re:How does this compare with FreeBSD?

[tzanger]

i know it has rate-limiting to make DOS attacks not work as well...

I'm sorry, but once that barrage of packets is queued up at the remote end you have NO hope in averting it. rate-limiting only works if you are doing the rate-limiting on the remote end of the network.

On a slightly different note: I've considered going to BSD firewalls off and on over the years since learning about Linux and Unix in general but I haven't been able to find a really strong reason to. Ok it's more mature. Sure it's got a better stack. But honestly, unless you're running on super fast networks the Linux stack seems good enough and Linux seems mature enough. A reasonably-skilled admin can lock it down and anything short of a kernel exploit keeps it secure. For me, it just doesn't seem worth it to pick up an entirely new OS.

Yeah it smells like firelighters but I'm being honest. Anyone who's been on /. as long as I have should know that I'm no troll. Are there any really convincing reasons to move to BSD?

Re:How does this compare with FreeBSD?

[thallgren]

You make it sound like it would be the end of the world to switch to BSD from Linux. I did that switch 4 years ago and never regretted it.

Regards, Tommy - FreeBSD enthusiast

Re:How does this compare with FreeBSD?

[artg]

'Are there any really convincing reasons to move to BSD?'

To give you experience in setting up another system ?

Re:How does this compare with FreeBSD?

[tzanger]

You make it sound like it would be the end of the world to switch to BSD from Linux. I did that switch 4 years ago and never regretted it.

No no no... I don't consider it a drastic move by any means, I am just trying to weigh the pros and cons. I'm comfortable on Linux and, while I know I can become comfortable elsewhere (it didn't happen with Linux overnight), I am wondering why to consider it.

Re:How does this compare with FreeBSD?

[tzanger]

To give you experience in setting up another system?

That's not a convincing reason. I don't tear down and rebuild engines just to get more experience doing so; I tear down and rebuild my own and engines like it. It may seem shortsighted but I don't have all the time in the world like I used to; taking up my time learning something that is likely not to change much isn't (IMO) a good idea.

Re:How does this compare with FreeBSD?

[Ded+Bob]

Advantages of FreeBSD over Linux (IMO):
1) More controlled (non-chaotic) development. Their is an elected board which decides on the direction of FreeBSD development.
2) Man pages. FreeBSD has a man page for almost everything that it comes with. This includes the drivers.
3) Ports system. I find the ports system to be much easier to administer a box than RPM.
4) IP Filter has a less cryptic syntax and is available for many UNIX OS's.
5) System updating. It is much easier to update a FreeBSD system as opposed to a Linux system. libc is more tied with the kernel on a FreeBSD box. glibc was never kind to me.

I speak all of this as a person who ran Linux once at a 0.77 level and later from 0.99.14? to 2.2.12. Switching to FreeBSD has made my life much easier. It gave me more time from development as opposed to administration of my boxes.

For information on IP Filter, go to this URL: http://coombs.anu.edu.au/~avalon/

Re:How does this compare with FreeBSD?

[TheLink]

ipfilter + stability ( + softupdates) was good enough for me :).

Anyway don't think of it as moving, think of it as one more option in your toolbox.

It's not too bad so far. On my first day installing FreeBSD I was already recompiling the kernel with no problems (in fact it's even easier than RedHat Linux - just make a backup, then make the kernel and reboot, with RH there's all these extra stuff in /boot to update plus running lilo). I had to recompile the kernel so that I could activate the IPfilter feature, and also bumped up the max processes and shared mem (the linux + freebsd defaults are rather low for modern x86 server systems).

You can configure most stuff in rc.local and rc.conf. But I haven't figured out the official way on how to do shutdown scripts. Not too bothered.

What I don't like is top seems to be lying about CPU usage by individual processes. I can't seem to see the absolute figures, only a weighted value. It's strange to see 80% user CPU usage in the topline, but find that every process is using 1%.

Cheerio,
Link.

You bet your sweet patootie!

[greebly]

Using ipfilter (ipf) in *BSD supports all of these features on top of one of the most robust and mature TCP stacks on the planet. I wouldn't use another OS for firewalling. Period.


9 little greeblys sitting on a plate...

I'm sure iptables is great and wonderful, but...

[ElVee]

What a chronically overworked sysadmin would really like to see is a graphical, gee-whiz, easy-to-use utility to organize and edit rulesets without having to delve so incredibly deeply into the guts of the syntax. I've looked over at Freshmeat, but nothing has really rung my chimes. It's not that I don't _care_ about system security and upgrading to the latest packet filtering gadgetry, it's just that I'm chronically short of "Round Tuits", and this huge pile of Luser Requests doesn't seem to be getting any smaller. Suggestions?

Re:Oh yeah? Where's the journaling filesystem or S

[qnonsense]

Except that FreeBSD's SMP is already damn good. When BDSi's code makes it in (5.0), it will blow Linux away.

OK. ipchains is a good effort. It still isn't as good as ipf.

Iptables, user-space queueing, and reiserfs

[bobv-pillars-net]

I needed to block a list of thousands of ip addresses at the firewall. Here's how I did it:

First, I read the sample code for how to implement user-space queueing. That's where you pass a packet to a user-space program so it can decide what to do with it. Then I made some trivial changes to that program so that it looks for a file in a certain directory with a name equal to the IP address in the packet header.

If the file exists (i.e. an open() call succeeds), then the packet is denied; otherwise it is allowed. Anytime I want to add a new IP address to the blocking list, I just create a file in that directory. Since I run reiserfs, the test for file existence is as efficient as a hashtable lookup, but much simpler to code.

Not as sophisticated as a commercial firewall program, but not as much overhead, either. (Simplistic) benchmarks show no significant increase in network latency. Works for me!

Re:Iptables, user-space queueing, and reiserfs

[bobv-pillars-net]

Actually, I use file contents for the reason why it's blocked. So when I review my /var/log/kern.log and see a bunch of denied messages for the same IP, I look at the contents of that file to see how serious the issue is.

Re:Iptables, user-space queueing, and reiserfs

[Yenya]

You should probably use stat(2) instead of open(2), as it is faster.

User-space queueing, or even long rule lists, are slow. When you have to do this on the high-performance routers (several 100Mbit interfaces), you will loose.

The right solution is use the ip rule command, because it does not have to queue every packet (it uses kernel routing cache). You can probably even move it to the user space using rt-netlink (in the same way as routing daemon works) - just set up a blackhole route when the stat(2) succeeds. This of course works as long as you need to filter IP addresses, not ports.

-Yenya
--

Re:Iptables, user-space queueing, and reiserfs

[bobv-pillars-net]

Well, I've got 1000kbit DSL, not "several 100Mbit interfaces". I suspect that many of the "enterprise-level" commercial firewalls would also fail your test.

Point is, I was able to cobble together something reasonably efficient for my purposes in less than an hour, including research and bugfixing. And I'm not a particularly talented coder.

Just out of curiousity, though, could you post a link to some documentation about the "ip rule" command and "rt-netlink" ? Never worked with either one.

Re:I'm sure iptables is great and wonderful, but..

[TMA]

Check out Firewall Builder... sourceforge.net/projects/fwbuilder very similar to Check Point's config GUI...

Re:thanks

[drenehtsral]

Cool =:-) I'm just starting to experiment with FreeBSD. Of the UNIX systems i've had a machine running, it is the nicest. I've had Linux machines (still do infact), and i've also had a System V.r3 machine (boy was _that_ one a pain...) Yeah. It was an old 3B2/310. In any case, thanks for helping my UNIX knowledge...

For the really important question!!!

[stomer]

If this replaces ip_chains? Will it allow me to host a game of Tiger Woods 2001 on one of my masqed doze boxes?

I have to have my priorities in order :)

Re:I'm sure iptables is great and wonderful, but..

not graphical, but check out ferm.

very friendly way of specifying firewall rules, regardless of what the underpinnings are (ipchains, iptables)

Cowards...

[Col.+Panic]

Oh, come ON! Still hiding behind firewalls, are we? Why don't you just connect that default install to the web 24/7 like a *real* man? What's a little break-in now and then? Sure, I bet all your data is valuable, especially those pic.s of Natalie P.

And .mp3s - real valuable since you are sharing them with Napster anyway, why not just open Windows file shares or Samba to the whole world? Shouldn't open source types who want information to be free lead by example?...

Re:Cowards...

[Tuzanor]

Connect on a default install you ask? sure,I'll just grab my good ol'trusty OpenBSD CD...

Older (386, 486) hardware?

[Fishstick]

This sounds really interesting to me. I do have a question about 2.4 in general though. How well does it run on pre-pentium hardware?

I remember when 2.2 series came out, many were saying to stay at 2.0.x for pre-pentium hardware because 2.2 would just not run adequately. Was this true in the first place, and does 2.4 'raise the bar' at all for hardware requirements?

I only ask because my linux firewall/masq box for my cable at home is running a 2.0.36 kernel on a 386 and there probably isn't any hope.

For a while I was using a P-150 running a 2.2.x kernel (RedHat 6.2 install, probably) and ipchains seemed to be much better than ipfwd.

At some point I decided I needed that box for another project, so I dusted off that crap old Compaq (a laptop, no less!) and pressed it into service as my masq box using a docking station (two ISA slots, WOOHOO!) and a couple of $7 SMC cards and slink. It works great as long as I don't try anything fancy.

But, the question is... what is a reasonable amount of hardware to expect to have to use for a 2.4-kernel firewall? I'd love to play with this. Think a 486-100 w 32Mb would be enough? It's not doing much, just sitting around for compiling kernels for the 386. ;-)

Re:Older (386, 486) hardware?

[greebly]

I can tell you from experience that if you're worried about memory and CPU overhead, you'll do better using *BSD instead. I have found that I can pare down the kernel and running services to a minimum, and have a surprising amount of grunt left over on a 486. A 486-100 with 32MB of RAM is more than enough to be a firewall/masq on *BSD or Linux, but the time involved in paring down the system so that no non-essential services/daemons are running is sometimes prohibitive. Kernel re-compiles can be a royal pain when you have to wait for hours!

9 little greeblys sitting on a plate...

Re:Older (386, 486) hardware?

[dr-suess-fan]

Hmm..

Can't you compile the kernel on a fast box for
the i386 architecture and then sneakernet or FTP
it across ? That is my understanding anyhow.

Re:Older (386, 486) hardware?

[richie123]

Yes, there is no reason why you can't simply compile it for a i386 on fast machine and install it on the slower one.

Re:Older (386, 486) hardware?

[PurpleBob]

I've found that everything in Linux 2.4 runs noticably slower on my P3-500... but maybe I compiled it wrong.
--
Obfuscated e-mail addresses won't stop sadistic 12-year-old ACs.

Re:Older (386, 486) hardware?

[Ribbit]

If you ask me, it should run fine.

I've got a 160Mhz 486 (overclocked AMD 5x86) with 32M, and I'm setting 2.4 up on it right now. So far, it's running great - it's doing a lot of compiling, and running no worse than with 2.2, and yes, I've noticed that it seems to be using less memory and the fs performance is a little better - but that might be my imagination. (BTW, try hdparm -T /dev/ with 2.2 & 2.4 - 2.4's buffer cache is twice as fast!) What I'm saying is, 2.4 should run great on your 486-100, and firewalling should not be a problem unless you're trying to firewall a saturated gigabit ethernet or something.

We've also got here a Cyrix 486DRx2. This is one of those 386-to-486 upgrade chips - it's pipelined, clock-doubled (to 50MHz in this case), and has a 1KB cache on it. This machine is our firewall (ADSL/Ethernet), and it's running 2.2, and not sweating it at all. (16M memory, BTW, and we haven't bothered to enable the cache either) I'm planning on moving it to 2.4 once I've had a play with it for a while. So I also say, give 2.4 a try on your 386 if it has the memory (you might get away with 8M) - you might be pleasantly surprised...

Re:Older (386, 486) hardware?

[Mr.Phil]

must have something else wrong, 2.4 runs noticably faster on my P3 500 and also on my P166 laptop.

Re:Older (386, 486) hardware?

[Spoke]

There was a thread when 2.4.0 came out on linux-kernel that some (or all?) 386s had problems booting. You should be able to find the thread from a list archive. (Try here). The bug was found when some guy was trying to boot 2.4.0 on a 386 with 4 or 5MB of ram.

It's fixed in the latest pre-patches, so you just might want to wait until 2.4.1 to try it out since it'll take forever for it to compile on a 386. By the time it is done compiling, you 2.4.1 might be out, anyway! ;-)

FWIW, I am using 2.4.0 on a P133/64MB and it runs great. This would be way overkill for just a firewall, we're using it as a development machine running Apache.

Your 486/100 32MB machine will be overkill for a firewall.

Re:Older (386, 486) hardware?

[Fishstick]

>So I also say, give 2.4 a try on your 386 if it has the memory (you might get away with 8M) - you might be pleasantly surprised...

Thanks, I might just do that. It is a 4Mb machine with a 6Mb add-on card (25 Mhz, 500 Mb drive, of which over 1/2 is trashed - I installed a 50Mb root part on the internal drive then have a 200Mb IDE drive sitting in the docking station with the rest of the OS and swap on it - picked the thing up for $5 at a garage sale, not working).

Someone asked why I didn't run *BSD... cause I wasn't smart enough to figure out how to install it! Now, I'm not saying I'm too stupid to install BSD - I've actually got a OpenBSD 2.6 install on a PPro-200 that I play with. Problem was installing on this low-mem machine.

It died at the end creating the /dev tree. The FAQ says to interrupt the install towards the end to mount the swap and then resume. I finally got past this only to have it lock up on boot trying to load services (rpc, I think). So, yeah, I booted from floppy and poked around trying to stop it from starting services to see if I could get it to boot. No luck, gave up.

I _really_ wanted to give BSD a try - I've obviously heard a lot about it. In the end I installed Debian and got it to work and put it in service and have since forgotten about it.

Now I've got this 486, I'll have to decide... oh - maybe I'll find something more productive to do with my free time like play WarcraftII again :-)

Re:Older (386, 486) hardware?

[Ribbit]

If you do try 2.4 on your 386, let me know how it goes and how well it runs (use the horribly unobfuscated email address above) - I'd be interested to know for myself...

Re:Older (386, 486) hardware?

[naasking]

2.4 probably uses more caching so it will look faster on machines with RAM to spare.

-----
"People who bite the hand that feeds them usually lick the boot that kicks them"

Re:Older (386, 486) hardware?

[Schnedt+Microne]

I used to think that as software got better, it should run on slower, older, hardware better than the older software.

One of the things I liked when I discovered Linux, was that instead of a 'shiny new things' focus, it was an effort of convergence. Things would just keep getting better, instead of the 'rip out the old one and plug in the new one' ethos of Microsoft's OS products.

So somebody please, do explain why kernel 2.4.0 shouldn't work better and faster in my 386DX-20 than 1.2.28 does....

Tell me it isn't like Microsoft.

Re:Older (386, 486) hardware?

[Hardwyred]

Throw another in the pit here. My first firewall was 2.2 on a 486sx 33, no issues. I then went to the 2.3 and 2.4 test stuff, still no problems. It seems to me that the sweet spot for the kernel has always been a 486, but remember, its all in the compile. My current firewall is sitting on a K6-2 450, but that machine does a lot more then what my old 486 used to do.

...and the geek shall inherit the earth...

Re:Older (386, 486) hardware?

[Fishstick]

>explain why kernel 2.4.0 shouldn't work better and faster in my 386DX-20 than 1.2.28 does

Yes, indeed. That was my question, not an assertion on my part. I think if you build a kernel with support for everything, needed or not, then you run the risk of maxing out a slower processor. Course, compile in just exactly what you need, should be the same right?

See Windows do that! ;-)

Re:Older (386, 486) hardware?

[apathetic]

i do that for my firewall... i'm not waiting for the kernel to compile on p-90 when i have a k6-3 400 sitting accross all of 5 feet away

I Can Hear It Now

[EXTomar]

"This has been in BSD forever..."

I bet by the time I'm done typing and hitting submit there will be several posts saying something like this. Why can't everyone stand back and go "great job guys for implementing it on a new platform!" instead of "you lamers...we had this X years ago". If they had implemented this on MacOS(random OS picked off the top of my head) would the BSD guys say the same thing?

Re:I Can Hear It Now

[bugg]

Ok, I am the AC that had the original post WRT this topic that's since been moderated up to 4: Informative (I post regurarly, it gets moderated down, I post AC, it goes up. Who woulda thunk it?) and perhaps I'm being misunderstood.

Yes, it's a good thing. Congratulations Linux folks, I'm sure you did a good job, having stateful firewalls are handy for everyone to have. I don't mean to say the typical "we've had this for X years"

My issue was, and still is, mainly with the slashdot title. Why it rocks. It doesn't generally rock, it just rocks compared to the implementation in Linux 2.2.

Now, if the article had been "Why it's a great improvement over 2.2" that would have been great, and I would have continued on my day. But the fact that the title makes it seem revolutionary, when it's actually quite evolutionary, made me step up to the plate.

What rocks? Stateful firewalling. Does the article discuss Linux's implementation in detail, explaining why it's better than other stateful filters? No. It discusses the old and proven technique of stateful firewalling, and therefore tries to further Linux based on that alone.

Re:I Can Hear It Now

[Chester+K]

If they had implemented this on MacOS(random OS picked off the top of my head) would the BSD guys say the same thing?

If it had just been implemented in Windows, everybody would be saying that, the Linux folks and the BSD folks.

Don't pick on Linux, but feel free to bash Microsoft.

Re:I Can Hear It Now

[AntiBasic]

Ok troll let's be objective. Linux firewalling (ipchains/iptables/whateveranewoneis) has always been humbled by other OS ability in this area. Compare it to Solaris and *BSD for example. Stateful filtering has been out available for a long ass time. It's still possible on Linux as if as you're not using glibc (yuck!). The title for the story is flamebait in itself "...Linux 2.4 firewalling Rocks!" Kudos to the guys who worked their keisters off on it. They deserve it. But there are more mature implementations out there as it is. A better topic would've been "Linux 2.4 firewalling improvements" or something.

...would the BSD guys say the same thing?

You don't even realise that people are behind the monitors do you? We're all people you troll. No one is out to get you you paranoid megalomaniac troll.

Try to be an ambassador for whatever your choices may end up being.

Re:I'm sure iptables is great and wonderful, but..

[Majix]

Try out Firestarter (Disclaimer: I wrote the program, so I'm biased). Supports both ipchains and netfilter, several nics, NAT/Masq, ToS/ICMP filtering etc.

I, just like you, got really tired of editing scripts all day long, the end result is this GNOME program. First the program presents a wizard for quickly setting up a firewall, then you can monitor the firewall hits you get and close/open/stealth ports with just a few clicks. Easy of use was the goal with this program.

So why does it take so long to load?

[Lawrence_Bird]

I played with iptables and one of the 2.4 pre
releases last fall. I found it to be incredibly
slow to load all the rules. Thinking I was
doing something very wrong, I also tried a
fairly vanilla table from one of the 'generator'
sites. Same problem. Can somebody shed some
light on this beyond 'your a dope'?

Re:Yep, big problem

[sjames]

in that's big-endian, like say from Solaris (the most popular Internet platform) the translation must occur before any filtering gets done. So a saavy hacker can mount an attack from any Solaris box and easilt Ddos any Linux box by doing a reverse htons() packet flood.

Nope. Just store the targets in network order and do a normal compare. All that matters is that the target list (hash or whatever) and the packet be in the same order.

Re:Way to catch up guys

[mr]

And it would be nice if you noted the 'OpenBSD' solution is IP Filter by Darren Reed.

But it would REALLY ROCK if.....

[rednax]

Its a great improvement over what was there before, but I wonder if they are ever going to look at active content filtering. At least in a corporate firewall environment it would be great if we could allow active content such as Javascript, Java, Activex only from specific hosts, or thru specific interfaces. To be able to do this in one place, rather than relying on another product would be awesome.

Sure its a huge leap from where it is now to move to active content filtering, but the gains would also be huge. I can see that it would probably add a lot to the processing requirements, but if its rule based then the admin can decide whether or not to implement it.

Humble Criticism: Interface vs. Implementation

[brthrjon]

This is the third time that the interface to this functionality has changed, essentially based on a different implementation. Frankly, I don' care if its chains or tables or what, I just need to Masquerade. However, it seems that every time we get a new kernel version we have to change the interface to the functionality because of improved implementation. Just my 12 centimes.

Re:Oh yeah? Where's the journaling filesystem or S

[Nathan+Brazil]

The point here is not "BSD is better than Linux." The point: "it's unfair that Linux gets good press for doing something everyone else has been doing for so long."

Re:Way to catch up guys

[Schnedt+Microne]

It's not 'elite' to use BSD. It's just practical.

Nobody in the BSD community is trying to be 'cooler than thou'. I think you're looking in the wrong free-software community for that.

Re:Oh yeah? Where's the journaling filesystem or S

[mr]

Sure they *could* have used BSDs ipf.

Lets see.

the License for the ipf (IP Filter code) is:
Copywrite (c) 1993-1997 by Darren Reed

The code is *NOT* 'BSD's' The code is Darren Reed's.

Re:networking Linux vx networking *BSD

[Zapman]

I keep hearing that *BSD's IPstack is faster, more robust, etc. But I never see hard numbers to back it up. I want a identical hardware benchmark that can push both stacks, and see which one is better. The nearest I've seen compare linux 1.2.* and FreeBSD 2.0. Ancient history in otherwords.

If you've got numbers, and the testing details that produced them, I'd like to see them.

Then it rocks today.

[jet_silver]

Snort can do this now.

Re:Then it rocks today.

[rednax]

Always thought of Snort as an IDS and alert/reporting monitor rather than a kernel absed firewall. Also is Snort not pushed as a LIGHTWEIGHT tool for relatively small networks?

FTP is really a bad example for statefull firewall

[gd]

Packet filter is not supposed to look into the payload of the packet. That is done by something called proxy. Regarding FTP, well, let's face it, it is a badly broken protocol, period.

Also, "limit the number of SYN packets from a single source" doesn't really help in defending the DoS attack. The attacking machine doesn't use its real ip as the source ip nor does it use a single source ip.

I agree with other posters: iptable is playing catch up with ipfilter.

Cool, but, regarding stateful firewalling...

[speedbump]

Yahoo for Linux! One thing that bugged me though was, if I were to use stateful firewalling on my Linux servers, how much memory (and processing) does such take up? Do I have to have a processor running at gigaherz speeds just to firewall my web server farm?

system call overhead (o/t)

[MenTaLguY]

If the file exists (i.e. an open() call succeeds)

If you don't actually plan on doing anything with the file after opening it, just use access(filename, F_OK). Save yourself a close() system call.

Keep in mind that on top of the file overhead you're also taking hits for transitions to and from userspace for every packet. Best to keep system calls to a minimum in such a case.

Re:system call overhead (o/t)

[bobv-pillars-net]

True, it was a quick hack. I used open() out of habit for portability, but that's a moot point here, eh?

Re:system call overhead (o/t)

[Teferi]

access() is in POSIX, so portability isn't a concern.
cool hack, too.

"If ignorance is bliss, may I never be happy.

Re:system call overhead (o/t)

[cananian]

No, actually you probably want a 'stat' call. To quote the man page: "access checks whether the process would be allowed to read, write or test for existence of the file (or other file system object) whose name is pathname." You actually want to do the existence test, you don't want to see if you can do it. Hence 'access' is inappropriate.

'stat' may have more overhead than the 'open' call, depending on the implementation of your filesystem. So it's probably just fine to keep that 'open' call the way it is.

Why iptables (Linux 2.4 Firewalling) Sucks

[Penico]

I was eagerly waiting for Linux 2.4 from the day I heard somewhere it would support ipfilter. I run mostly BSD boxes, due to personal preference, while still keeping a few Linux systems up and running. All systems run perfectly well and cause me little grief, if any at all.

However, once again the Linux camp is "doing things their own way" and contributing even more to the separation between different Unix flavors (as well as making those sigs that go something like "Linux - the Unix defragmentation tool" even funnier). Don't get me wrong, iptables seems to have a few cool features that are not present in ipfilter, but just why was ipfilter not used instead ? It is present in a few platforms already (runs on all BSD's, as well as Solaris / SunOS and IRIX), it is tried and tested, and it does most of the stuff iptables does. And it can probably be extended to do everything iptables does as well, with some extra work. But the Linux folks, however talented and bright they undoubtedly are, and however good a kernel they have produced, have just taken a completely silly route this time. Not only have they duplicated effort towards the same (or at least, a very similar) end, they have also created another headache for busy sysadmins who maintain a few different systems. I had high hopes on ipfilter being "officially" supported under Linux (the ipfilter code mentions sketchy support for Linux, which I have admittedly not tested, but from the looks of it it has not been maintained for a long time --- the most recent kernel mentioned in the HISTORY file is 2.0.34, the last reference to Linux appears in 1998), but now I will be forced to get rid of the only Linux box I still maintain as a server (for various reasons, none of which related to the quality of the OS --- that little box has run great for ages, and causes me no grief at all) if I ever need firewalling for it. Yes, I could learn to work with iptables (and I probably will anyway, out of curiosity), but the Linux folks could probably learn to cooperate better with the rest of the world in certain aspects. It really is a shame, because I honestly think Linux is great --- the mindset of some of it's users (and by the looks of it, some developers as well) is however a different matter...

Re:Why iptables (Linux 2.4 Firewalling) Sucks

[SoftwareJanitor]

BTW, Linus is from Finland, not Sweden, although ethnically he is swedish and speaks swedish as his 'native' language.

Re:Why iptables (Linux 2.4 Firewalling) Sucks

[stripes]

However, once again the Linux camp is "doing things their own way" and contributing even more to the separation between different Unix flavors (as well as making those sigs that go something like "Linux - the Unix defragmentation tool" even funnier). Don't get me wrong, iptables seems to have a few cool features that are not present in ipfilter, but just why was ipfilter not used instead ?

Being compatable at the cost of better functionality isn't allways a good idea. Would iptable's "cool new features" have fit into the ipfilter framework? Is there some fundomental reason that iptable might be faster, or even just simpler to implment?

I don't even run Linux (three diffrent BSDs, no Linux), but I wouldn't want them to give up useful features just to stay compatable with me any more then I would want FreeBSD to adopt some else's FireWire framework if that framework could never do foo, or was boud to allways suck in some way.

In fact OpenBSD has a framework for Crypto cards. It works great for IPSEC, but poorly for other things (like cryptoFS, or userland crypto apps). If FreeBSD adopted it as is they would get half a dozen working crypto cards, bitchn' fast IPSEC. I think it would also be a giant mistake. I would rather end up with an incompatable framework that is better, then a compatable one that isn't so hot. It would be nice if the new one was very similar and could be "backported" to OpenBSD if they were so inclined...

Sometime the first implmentation isn't such a good idea, so the second should be diffrent. Or the third, or the sixtyith. That is why we run Unix-like OSes rather then TOPS-8086.

Re:Why iptables (Linux 2.4 Firewalling) Sucks

[ion++]

You seem to describe linux NOT using ipfilter, but making their own, iptables, as a bad idea.
It might not neassesarely be a bad idea.
I will write a few analogies, but basicaly my response is
Competition is good
If you buy into that, you dont have to read on, if not, please do.

Why even have Linux in the first place, we have BSD. But wait, there is 3 BSD's, (there was 4), BSDi/FreeBSD, OpenBSD and netBSD??
But BSD is just a further devellopment of earlier *nix systems (i'm not too knowledgeable of the unix history). But Unix was built on Multics, so lets keep that, or better yet, some system before that.

Why do we have xx different OS's ??
One should be enough!
Why do we have xx different webservers ??
One should be enough!
Why do we have xx different GUI's ??
One should be enough!
Why do we have xx (2) different chipmakers ??
One should be enough!
Why do we have xx harddrive makers ??
Why do we have xx monitor makers ??
[high pitched voice getting estatic]
kabinets? keyboards? cola? beer? car?
clothes? tvchannels?
[voice cramming over]
political views ??
[breating normal]
Because, competition is good
It's good having choice, not everyone likes the same, or chooses the same over something else.
Naturaly we can work together, and we should, but that doesnt mean one implementation, one manefacturer, ... is a bad idea. Multiple choices enhances life and survival (imagien living from just one sort of food, and it becomming extingt).

So, be thankfull for being able to choose, and not having the goverment, or some company choose for you. While the first is becomming less and less apparent in the world, the second is becoming more and more widespread.
And the worst part is that people doesnt seem to care :(

ion++

Re:Why iptables (Linux 2.4 Firewalling) Sucks

[Admiral+Burrito]

You seem to describe linux NOT using ipfilter, but making their own, iptables, as a bad idea. It might not neassesarely be a bad idea. I will write a few analogies, but basicaly my response is Competition is good

What competition? Iptables has a monopoly on stateful filtering under Linux.

It's not about competition. It's about NIH. That's the only reason I can see why Linux went so long without a stateful firewall instead of doing the maintainence on IPF. Would you suggest that not having stateful firewall should "win the competition" over having a stateful firewall? Apparently it did for over two years, only because the terms of that competition made it counter-productive at best.

I wonder... How many firewalls were left configured to allow all UDP access as long as the sender claimed source port 53, because most mortals didn't know how to permit DNS responses in a stateless config without opening such a wide hole? (FreeBSD's default /etc/rc.firewall used to have just such a hole when ipfw was stateless, but at least ipf was available as an alternative (that's competition)).

Re:Why iptables (Linux 2.4 Firewalling) Sucks

[joedumb]

well, as someone remarked ealier, competition is good, but a better solution: why not have both? ipfilter and iptables one team works exclusively on iptables (ala russ etc.) and another team works on the kernel modules that interface with ipfilter for optimal linux proformance. there, you get the best of both worlds.

Re:Why iptables (Linux 2.4 Firewalling) Sucks

[Yenya]

I was eagerly waiting for Linux 2.4 from the day I heard somewhere it would support ipfilter.

Oh, this is the same confusion like in Swansea NET-2 versus BSD NET/2. Linux never attempted to support ipfilter. The core framework in kernel is called netfilter. IPtables are built on top of netfilter (as is Linux virtual server, etc).

I don't know much about ipfilter, but I think it is (at least partly) user-space solution. Because we already had a fast kernel-space solution, I see no point in moving back to the user-space.

With ipchains (2.2 kernel), I run router with four 100Mbps ethernets (on an old Celeron 266) and over 250 rules, and it works on full bandwidth. This is impossible with partial user-space solution.

-Yenya
--

Re:Why iptables (Linux 2.4 Firewalling) Sucks

[Ded+Bob]

Actually, there was a kernel module of IP Filter for Linux v2.0.

I don't know much about ipfilter, but I think it is (at least partly) user-space solution. Because we already had a fast kernel-space solution, I see no point in moving back to the user-space.

IP Filter is in the kernel-space.

interface compatibility

[MenTaLguY]

This is the third time that the interface to this functionality has changed, essentially based on a different implementation.

Actually 2.4 supports the 2.0 and 2.2 interfaces too, as optional (extremely small) kernel modules.

Re:Way to catch up guys

[Tralfamadorian]

Would you shut the hell up please?

This attitude is all over slashdot. It's funny, because I've seen more posts pointing out how Linux is simply catching up than posts about anything else.

It's just like when an MS story comes out, and 20 million people post that "I know I'll get modded down for this because /. is so linux centric".

It almost seems to me that people who post such things are trying to be ``31337'' by ``going against the /. crowd'' even though /. is fairly objective (as long as you read posts of a score that is >= 1)




He who knows not, and knows he knows not is a wise man

he meant shitty SMP support, not no SMP support

[cpeterso]

FreeBSD SMP support is akin to Linux 2.0 in 1996! FreeBSD uses a BFL (big fuckin' lock). Sure FreeBSD 5.0 might include experimental Linux 2.2 (1998) SMP support merged from BSDi code, but when will that be? 2002?

Dont encourage kiddies, punish them!

[kettch]

Configure a firewall that blocks access to all but a single "drive" to which you can get to with some rudimentary h4x0r1ng skillz. fill that directory with a bunch of files, programs, etc. except make every file infected with the most virulent stuff you can find for a variety of OS's. that way, some script kiddy thinks he's hacked your server, and then, BAM! If only you could find a virus that did weird things with the power pathways on the motherboard. Then you could eliminate the kiddie as well as his computer.
----------------------

Re:Dont encourage kiddies, punish them!

[ca1v1n]

Maybe you could write something that would flash the BIOS and either

a) Kill the BIOS, requiring either a replacement unless they have one of the ones that has a dipswitch reset.

or
b) Overclock everything on their machine as high as it will go. With any luck, the kiddies will have already overclocked some by hardware means, so the BIOS method could have them running so hot that they burn out within the week.

Hmmm... other things that come to mind involve changing monitor settings so that their monitor burns out within the month, or reformatting the hard drive and labelling bunches of sectors as bad, or maybe just screwing with the boot sector or making invalid partition tables. Oh well, I'm sure you could have loads of fun dreaming such things...

Bits per Byte

[ansible]

While it's true that it is usually 10 bits per byte on asynchronous links (1 start bit, 8 data bits, 1 stop bit, no parity), that's not true for things like leased lines. They use synchronous serial communication, so it is 8 bits per byte. IIRC, ISDN is also synchronous, but I don't know about some of the newer signaling schemes.

Just tryin' to keep the math straight.

Re:Bits per Byte

[h2odragon]

regardless of the signalling the underlying link is using, the box is likely (not always) hooked to your PC via "good" old fashioned 10bit rs232 serial ports.

That's not the point. The point is that unless you've got enough connection to firewall that you can afford fancier stuff anyway, most any PC has plenty of time to do quite a bit of work between packets. Compare the bandwidth and CPU involved in, say, turning 44kHz 16bit sound into pretty pictures like eXtace does, to the task of filtering a couple of T1's worth of internet connection.

2.4 Linux Kernal too big for LRP!

[npendleton]

stateful firewalls = excellent... But LRP will NOT readily support 2.4 kernal size!
(LRP is the Linux Router Project at http://lrp.c0wz.com/ a kick ass firewall/router/NAT distro that needs a single floppy, 486 or better, 2 nics, and NO harddrive!)

Joshua Jackson, of the impressive www.coyotelinux.com LRP distro,
said "I wish I could move to the 2.4 kernels for Coyote, but not in the floppy version I am afraid. By the time you get all of the necessary options built into the kernel, it is roughly 350kB larger than the 2.2 kernel... in addition, the full iptables and iptroute2 package are quite a bit larger than their 2.2 equivs. The Embedded project is already running on the 2.4.0 final kernel, but it does not run from a floppy."

-Nathaniel
Bummer for the rest of us.

Re:2.4 Linux Kernal too big for LRP!

[chompz]

You could easily run it out of a ramdisk, and if you booted it off of a cdrom you would never have to touch the hardware. As long as the computer worked it would be fine, maybe down for a few hours to replace a cdrom once every three years.

Re:2.4 Linux Kernal too big for LRP!

[hammock]

Have they ever considered using more than one floppy? To install Slackware, you use a boot disk, and a root disk.
No problemo.

Re:2.4 Linux Kernal too big for LRP!

[extra88]

If CoyoteLinux used more than one floppy I couldn't reboot the 486 under my desk with just my toe! (I don't blame distro for needing to reboot, I'm still running a very early release.)

Bootable CDs can be a pain in the butt because you have to re-burn them every time you want to make a change. Plus my router doesn't have a CD-ROM and most of the crap machines I can get my hands on seem to have failed CD-ROM drives.

I think LRP has 2 floppy options for those who really want to load up the RAM disk but CoyoteLinux has a pretty well focused purpose.

Re:2.4 Linux Kernal too big for LRP!

[sunset]

I guess that's the price of progress. Too bad you can't get 2.88M floppies any more. But it's only a few more bucks for a CDROM, or a Zip drive, or LS-120.

FireWall-1

[Xenophon+Fenderson,]

Heh, the AC has a good point. Linux stateful inspection? Ho-hum, FireWall-1 has been doing that for a while, too, and it has a programmable virtual machine that lets you program your own inspection code for protocols that aren't supported out of the box.

Rev. Dr. Xenophon Fenderson, the Carbon(d)ated, KSC, DEATH, SubGenius, mhm21x16

Re:FireWall-1

[forkboy]

Yeah, but Firewall-1 has it's own problems. The service proxies (i think they call them "security servers") are a joke, NAT and encryption slow the system dramatically. Avg 70 Mbs thruput on an a Nokia IP330 running FW-1 drops to about 2-3Mbs with 3DES encrypted VPN traffic. That doesn't include another ~20% overhead for NAT.

I won't even begin to talk about how shoddily thrown-together their Provider-1 management tool is...I'd almost swear microsoft coded it.

Anyway, point being I'm glad to see Linux's firewall technology get more current. Especially since it's open source....it'll be nice to actually get in and pour over the code.

Hey, it's great :=)

[Polo_Pony_Guy]

I used it a while back when I read about it on Slashdot in one of the users' comments. The only thing I don't like about it is that it has a tendency to make 40,000 files in /etc/firestarter/

All I do is delete the stuff in the script in the first few lines to do with the deny-host-all etc etc and use the rest of it - works very well. It's just the initial setup of the firewall that I think most users hate. I know that was the case with me. I don't mind adding rules manually afterwards...anyway, I highly recommend your program...Congrats!

Remasqing Packets

[Srin+Tuar]

I am trying to find out if iptables does remasqing: Masquerading a packet with a destination back inside the masq'd LAN.

I know ipchains doesnt do this, and its been a considerable headache. Some of the things I cannot do are:

• access my port forwarded apache box from its external internet address from within the LAN; I must use its internal LAN address.
• join a battlenet game of starcraft hosted by someone on the same LAN.

I know there is a kernel patch for 2.2 that will introduce this ability, but it breaks the ipchains code's security.

Looking at the way iptables works, I think this should be possible (Port forwarding would be done before routing, and masqing done post-routing), but it is not addressed specifically anywhere that ive seen.

Anybody know?

Disclaimer: Ive asked this question before on K5, but nobody seemed to have a ready answer. Maybe the broader audience

Re:Remasqing Packets

[Pegasus]

Afaik it does all this. It's described in netfilter howto (http://netfilter.kernelnotes.org/unreliable-guide s/).

Re:Remasqing Packets

[slamb]

Some of the things I cannot do are:

join a battlenet game of starcraft hosted by someone on the same LAN.

I have this problem, too, but I don't think there's anything Linux or other NAT-capable OSs can do about it. I found this on the blizzard homepage a long time ago:

Q: I can play games but only with one machine at one time.
A: This is because you only have one IP address.

So it sounds like battle.net needs a unique IP for each user. I think I'd be preaching to the choir if I said how incredibly stupid this is.

Re:Remasqing Packets

[Srin+Tuar]

I dunno, but diablo may be client/server.

Starcraft on the other hand uses a peer/servant networking paradigm. The reason for this is so: A hosts a game. B and C join the game. A dies. The game must continue so that B and C can continue to fight each other even if A's machine is powered off. In a pure client/server model- the game is over when A quits. In starcraft, ever computer is an equal, so B and C are both clients and servers= the game goes on.

Then where are the SPECweb benchmarks for BSD?

[cpeterso]

If BSD/OS is sooo much faster than Linux 2.4, then why does NO ONE use any BSD for SPECweb benchmarks ? I see Linux 2.4, Windows 2000, AIX, Tru64, and HPUX.

Re:Then where are the SPECweb benchmarks for BSD?

[Mihg]

Most likely because *BSD doesn't have major corporate sponsorship like Linux does.

(However, TUX still beats the crap out of *BSD (and damn near anything else) at web-serving any day... :-)
---
The Hotmail addres is my decoy account. I read it approximately once per year.

Re:Then where are the SPECweb benchmarks for BSD?

[Mihg]

How does being in-kernel make a web server (or any type of server, for that matter) make it insecure?

Lot's of things are already in the kernel. Their presence doesn't hurt security, so why should a web-server?

Oh, btw. TUX isn't exactly a webserver. It's more of a kernel-side object cache that can be extened by modules or user-space apps to speak various protocols.

---
The Hotmail addres is my decoy account. I read it approximately once per year.

Re:Then where are the SPECweb benchmarks for BSD?

[bugg]

Because a buffer overflow in TUX would lead to total system comprimise.

Re:Then where are the SPECweb benchmarks for BSD?

[Mihg]

Yeah, but a buffer overflow in knfsd, smbfs, ncpfs, nfs or any of the device drivers would also lead to a total system compromise. I fail to see your point.
---
The Hotmail addres is my decoy account. I read it approximately once per year.

Re:Then where are the SPECweb benchmarks for BSD?

[bugg]

Keep tasks that can be reasonably accomplished outside of the kernel outside of the kernel. It's that simple.

So we can't easily take [filesystem_here] out of the kernel and expect reasonable results. But, we can and do implement a webserver in userland.

Tell me- would you like apache to run as root, keep root, and have full access to your hardware? That's what you're doing with TUX.

Re:Then where are the SPECweb benchmarks for BSD?

[Mihg]

But there's one thing that you can't reasonably accomplish outside of the kernel: speed. Or, perhaps I should say, blindingly fast, beat-ther-crap-outta-NT speed. So, there are (obviously) tradeoffs. However, ther Linux kernel is usually well tested, and there are a lot of smart people working on the kernel. Someone would probably notice it, especially because it is a security sensitive area of the kernel.

BTW, TUX isn't equivalent to running Apache as a kernel thread. TUX has limited abilities. It only does the fast/easy stuff. Anything harder gets handed to a user-space process, whether it be a webserver or TUX client program. So the amount of functionality in TUX that is actually in-kernel is much smaller that Apache.

---
The Hotmail addres is my decoy account. I read it approximately once per year.

Re:Yep, big problem

[Ben+Hutchings]

The main problem that this doesn't address is the fact that the kernel still has to do translations from big-endian to little-endian.

Which takes so much time.

Linux is a little-endian architecture

No, it's an operating system. i386 is a little-endian architecture, though.

so when a packet comes in that's big-endian

Network byte order is big-endian. What are you talking about?

Re:Oh yeah? Where's the journaling filesystem or S

[SoftwareJanitor]

The typical Linux user does NOT have a multiprocessor machine.

Actually dual Celeron and P2/P3 Linux boxes are pretty common. While certainly not everyone has one, I do, and I probably know at least 6 or 7 other people who do as well.

Deciding what a 'typical' user is, now that is the problem.

FTP monitoring is BAD!

[bug]

For those of you not familiar with stateful firewalling, it is an incredibly good thing. I've gone from using ipfwadm to using ipchains to finally using ipfilter on BSD. Because of ipf's support of stateful filtering, my firewall rulesets were *much* simpler. Given that many (most?) problems associated with firewalls is the complexity of the configuration, this is a Very Good Thing(tm). After migrating from linux/ipchains to BSD/ipf, I was able to add serious protection for my network, including my high ports (which often run the most vulnerable services, namely RPC services). I haven't used netfilter/iptables, but it looks to be a *huge* step forward for Linux.

All that being said, I have a major problem with this article. It seems to suggest to users that FTP monitoring to handle active FTP clients is a good idea. In fact, this is a *terrible* idea. I got to watch Dug Song et al at BlackHat walk right through a CheckPoint FW1 system like it wasn't even there by exploiting some assumptions that FW1 made when monitoring FTP for the PORT commands. It sounds to me like the netfilter/iptables support for FTP functions in a very similar manner as FW1. If you must support FTP through your firewall, make your users use passive FTP. Every modern FTP client and every modern FTP server that I've seen all support passive FTP. Of course, a better approach is to encourage secure communications, like scp or SSL.

Bottom line, the best firewall design is the simplest one possible that gets the job done. Adding neato features like payload monitoring to poke extra holes in the firewall is diametrically opposite this philosophy.

Also, please remember that a firewall only serves as a method of blocking traffic between network segments. It does not magically secure network traffic from viewing, spoofing, manipulating, or hijacking (you need to use protocols that support strong authentication and strong cryptography to achieve this). It does not secure the applications or systems which you allow traffic to touch (you need to use secure OSes under secure configurations to accomplish this). It does not magically protect your systems against insider threats (you need to have good people working for you, restrictions on outside connectivity, and thorough physical security to accomplish this). Remember, crunchy on the outside and soft and gooey on the inside is great for candy, bad for networks.

Re:FTP monitoring is BAD!

[Admiral+Burrito]

If you must support FTP through your firewall, make your users use passive FTP. Every modern FTP client and every modern FTP server that I've seen all support passive FTP. Of course, a better approach is to encourage secure communications, like scp or SSL.
Bottom line, the best firewall design is the simplest one possible that gets the job done. Adding neato features like payload monitoring to poke extra holes in the firewall is diametrically opposite this philosophy.

Even worse, payload monitoring and encryption (SSL, IPSec) prevent each other from working. If you're using payload monitoring, encrypted packets will be un-monitorable and things like the "port" command will never be seen, thus preventing the connection from being allowed through the firewall. So in cases where payload monitoring is in place it discourages the deployment of crypto. Likewise, when crypto is deployed it discourages stateful filtering, but that seems to be a relatively good thing because proper encryption should be considered more important than filtering hacks IMHO.

Re:FTP monitoring is BAD!

[drsoran]

TIS (now NAI) had the right idea. Gauntlet provides a nice transparent application gateway firewall. Unfortunately since they EOL'd their BSDI version the only support on x86 hardware is NT. It'd really be nice if they came out with a Linux or even OpenBSD version. The only other options are Solaris or HPUX. Somehow I doubt that's going to happen. I just hope NAI keeps their head above water so they don't end up getting bought out by a company like Checkpoint. I think Firewall-1 points out that having the most popular product doesn't make it the most secure.

iptables vs ipfilter

[evildead]

I've used iptables a bit. It's even running a firewall or two here with it. However, I have heard very good things about BSD ipfilter, of which I think iptables is a derivative work. Plus, ipfilter has been out longer in production. I would be curious to see a ./ shoot-out between the two.

Re:networking Linux vx networking *BSD

[johnnyb]

Actually, identical hardware benchmarks are very poor, because it assumes that each system exploits that hardware to its fullest. The best benchmarks is to have two camps, give them each X number of dollars, and build the best server, and then compare those. For example, if the system has a TULIP ethernet card, and OS A supports it well, and OS B doesn't, then the OS A will win, even if OS B is fater on an EEPro. So, for stuff like this, its better just to do it based on dollars.

Re:networking Linux vx networking *BSD

[Alejo]

Read ACM/SIGCOMM papers. It's all there.
I am talking CURRENT (not plain Reno) TCP stack. (Try google and don't foolishly flame without reading all the many great papers they publish)

Not Invented Here

[Admiral+Burrito]

Stateful firewalling isn't exactly new technology, and it's even been with the rest of the open source world (BSDs) in the form of ipf for quite a long time- it's gotten so ubiqutious, for example, that FreeBSD's ipfw is now stateful as well.

Darren Reed's IP Filter ("ipf") is very cross-platform and not exclusive to BSD. It works with several other *nixes as well.

What's really interesting is that linux used to have stateful firewall support, via ipf! That's right, IPF used to work with Linux. But somewhere along the way with all of the changes to the Linux kernel IPF stopped working and nobody bothered to do the maintainence.

Instead of doing the required work on the mature stateful firewall package that is ipf, the linux folks put up with stateless ipchains for the longest time before finally adding state to ipchains. Shame!

This isn't exclusive to Linux though. FreeBSD's IPFW was made stateful even though IPF has always worked under FreeBSD. Reason? IPFW supports ethernet bridging, while IPF doesn't. No doubt there are similar reasons for ipchains over ipf: filtering based on MAC addresses was mentioned (although the desired results have always been do-able with static ARP).

Instead of re-inventing the square wheel, why didn't these people enhance IPF with the desired functionality? Isn't that what open source is all about? Must NIH prevail???

Re:Not Invented Here

[ghassanm]

if Linux kept ipf, then there would be no end to several BSD folks criticism about how Linux just steels code.

Re:Not Invented Here

[Error27]

It's not just a matter of having the features, but also implementing them cleanly. I think it's pretty clear that Rusty used Darren Reed's ideas throughout. But from what I've read 2.2 kernel firewalling sounds severely damaged and needed to be scrapped.

The new implementation is not only more flexible and powerfull but much cleaner. I think before the firewall code was spread out in something like 11 different files?

I also like the new abstractions where you just break things down into simple catagories:
You can filter a packet (1)as it comes to the computer or (2)as it leaves. (3)You can filter a packet if it comes from outside and is destined to this computer. (4)You can filter a packet if it comes from outside the computer but is just passing through to another computer. (5)Or you can filter a packet if it was created on this computer.

Simple! Any packet can be fit into at least two of those five catagories.

In Linux 2.2 masquarading was a seperate hacked on peice of code. But in linux 2.4 you don't need it any more because you can just say, "If I'm masquarading a packet then it would come from outside and it would pass through my computer with out stopping so I can just filter those types of packets."

So in the end rewriting it from scratch not only adds cool features but makes it easier to write kernel code because you don't have to edit as many files and the code is cleaner. It provides a simple abstraction so life is easier for users. And kernel hackers can be lazier because because they don't need to code ip masquarading as a seperate feature. I think laziness is something we all can appreciate.

Re:Not Invented Here

[rob_macgregor]

This isn't exclusive to Linux though. FreeBSD's IPFW was made stateful even though IPF has always worked under FreeBSD. Reason? IPFW supports ethernet bridging, while IPF doesn't.

I think you'll find that IPF does support bridging (at least these days), indeed that's one of the features that sold me on it.

Re:Not Invented Here

[Lazaru5]

IP Filter does not itself do Bridging. On OpenBSD, it's done with virtual bridgeN interfaces, and on FreeBSD with kernel sysctls.

If you meant that ipf can be used as a transparent firewall on a bridging box, then yes, it can do that.

Re:Way to catch up guys

[Schnedt+Microne]

Seems to me that 'coolness' is only a issue if it's made an issue.

I'm busy using computers to do stuff.

Then again, I guess we're all here to strut our stuff... or else why would we post on /.?

Re:You sissy!!!!

[plover]

Yeah, well, we had it tough.

Wood and metal scraps. Paper. What luxury! We had to scratch the O.S. into stone tablets with just our fingernails, using only zeros and ones. And we never had enough ones. Whenever we ran out of ones, we had to make do with just zeros.

And we'd have given anything to have a gerbil. We had to get a group of half-starved cockroaches running in the same direction on an old 45 RPM turntable, and that's not easy, let me tell you. And for blinking lights, we had to rent fireflies, we couldn't afford to actually buy them outright, you know.

You kids today, you don't know how lucky you have it.

John

H.323 Audio Streams, rtp and rtcp packets

[smutt]

Will this allow me to use a 2.4 Linux box as a firewall for rtp streams? My BSD firewall at home allows me to do this. I didn't read the article so feel free to tell me to RTFM.

Stateful firewalling not available?

[gatekeep]

I beg to differ. Stateful firewalling has been available under linux. Maybe not out of the box, but Checkpoint's FW-1 will run on linux and is indeed stateful. Maybe you meant to say that stateful firewalling was unavailable under linux for FREE, but that's not to say it wasn't available.

Re:Way to catch up guys

[RedWizzard]

Of course not. BSD comes under a fair license that actually gives you choice and control of your code, unlike the GPL, which forces everyone who uses it to keep it open for the world to see. No choice, just forced openness.

So if the BSD license(s) are so great and fair while has it taken a GPL'd Unix to catch peoples' attention? Why is Linux the free OS that so many big companies have decided to support?

Re:Good Point.

[Mr+Z]

The MAC address is hardwired in, but it's the software layers that put the address in the packet or program the Ethernet MAC's registers with most cards. As I understand it, in many cases under Linux, you can change the effective MAC address for a card with ifconfig.

I believe this is the flag that does the magic:

hw class address

Set the hardware address of this interface, if the device driver supports this operation. The keyword must be followed by the name of the hardware class and the printable ASCII equivalent of the hardware address. Hardware classes currently supported include ether (Ethernet), ax25 (AMPR AX.25), ARCnet and netrom (AMPR NET/ROM).

Does that answer your question?

At any rate, I know it's possible to do this by hacking the driver in the kernel (at least for NE2K clones), as I've done this personally in a previous life...

--Joe
--

Re:You sissy!!!!

[Pheersum]

Well then, invent your own language to speak first and then get back to us, using the new language of course. Maybe it will be called "eliteistspeak" or something.

Ashes of Empires and bodies of kings,

Re:You sissy!!!!

[letchhausen]

We didn' t have the wherewithal to "invent" a language. We coded in grunts and if I used it now none of you whippersnappers would get it. You guys with your MIT degrees and your god Chomsky always talking about Language and Liguistics and Fortran and LISP and C and all the rest of your newfangled languages and crazy language ways. This is what happens when you try to build a tower to god. A babel-esque plethora of OS's and more languages than you know what to do with. Before it was just about moving from roaches to gerbils as that other guy pointed out. That was called progress! Then it became competitive and now look what you have! A mess I tells ya a MESSSSSSSSSSSSSSS!!!!!!!!!!!! Why if I wasn't in this iron lung I'd whip the lot o' ya!!!!

Not all major players allow passive FTP

[macdaddy]

The subject says it all. Not all FTP sites of major players allow passive FTP. Most do but not all. How will you explain to a user trying to download a firmware update for something that he has to go home to do it because your firewall won't let him out? That might work at a large company, but at a place where people pay for 'Net access like a University, that doesn't fly.

--

Figure I'll add my $.02

[psxndc]

I just, and I mean last week, installed OpenBSD as my firewall and I LOVE it. I have the book Building Linux and OpenBSD Firewalls by Sonnenreich and Yates and between that and the BSD man pages/online docs I had no trouble setting it all up. And I'll be the first person to call myself a *nix newbie.

I don't have numbers comparing their stacks, or SMP ability data (why do you need a multi-proc firewall unless you're doing it for a large company?), but from a user standpoint, I think OpenBSD is fantastic and I recommend that anyone remotely interested in security find a P-166MHz with a 2 gig drive and throw it on, just to try out.

psxndc

Re:Way to catch up guys

[Aunt+Mable]

Wow.. and you managed to include some slashdot bashing too.

Go to K5, collect $200, wanker.

-- Eat your greens or I'll hit you!

Re:Way to catch up guys

[psxndc]

I posted a comment a little earlier, but I'm re-posting for emphasis: "Building Linux and OpenBSD Firewalls" is a must read (at least for OpenBSD newbies). This book is FANTASTIC (yes, good enough to warrant caps). I set up my OpenBSD firewall last week and this book was an immense help (so is the OpenBSD documentation to be fair). It walks you through setting up the entire system (though it doesn't recommend separate partitions for /usr, /tmp, etc and it's a tad out of date (OBSD 2.5)). If you're interested in OpenBSD, I highly recommend it.

psxndc

VPN

[ScumBiker]

Does anyone know how I would go about setting up a VPN using this stuff? I know how to do it using Checkpoint and SecuRemote, but what's the open source way? Please feel free to email me if you don't want to answer here.



Dive Gear

Comment removed

[account_deleted]

Comment removed based on user account deletion

Uh-huh...

[erc]

Cool, but why the hell didn't they do this in 2.0, instead of screwing yet again with sysadmins around the world? First it was ipmasq, then ipchains, now it's iptables. Yet another thing for sysadmins to learn ... again. Why can't they do it right the first time, or at least make it compatible?

Here it is..

[whydna]

go here http://www.sun.com/solaris/binaries/
it's $75 for the cost of the media plus shipping and handling...

-andy

Re:Typical ignorant American

[GypC]

No it's not typical... but there are a lot of ignorant rednecks here in the U.S. Just like any other country. It's not like human nature makes sudden dramatic shifts when crossing artificial borders.

More than likely it's just some kid trying to get a rise out of you. The question is, why did it strike such a nerve with you? Why the hostility directed at U.S. citizens rather than ignorant and hateful human beings in general?

The U.S. governments do not place any blame on minorities, a public official who said any such thing would likely be canned within the week. Racists who do blame minorities for their problems are unfortunately common, but not generally in the majority (depending on where you live).

The U.S. is just like anywhere else, mostly normal people trying to get by, raise some kids and be happy... I think you're as guilty of prejudice and ignorance as the poster to whom you were responding.

"Oh twap!"

Re:OT -ipnat

[Lonesome]

By either using SOCKS or redirecting incoming traffic to a specific port on the box behind the firewall.

e.g.
rdr de0 port 4000 -> port 4000 udp

Paul.

Re:OT -ipnat (fixed up the rdr example)

[Lonesome]

Damn slashdot stuffed up my code:

it should be:
rdr "ext interface" "ext ip" port 4000 -> "internal machine ip" port 4000 udp

Paul.

Re:FTP is really a bad example for statefull firew

[grahamm]

Iptables does not just limit the number of syn packets from a single source. You can rate limit SYN packets from any/all sources. The howto even has an example
iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT

Re:I'm sure iptables is great and wonderful, but..

[Helge+Hafting]

Consider the trustix product then. A linux firewall, and a windows program to configure it.

Re:Good Point.

[mpe]

Changing the MAC address is typically not very easy. If you have the source to the Firmware and you know how to really tickle the LAN chip, then you might be able to do it. MAC address ranges are assigned to vendors. The chip (node, card, whatever) must identify itself to the local ethernet network. It get's this number from a ROM (firmware) database usually. I *suppose* it could be hardwired in, though. There's probably a way to program the chip to tell it has a different MAC address.

What you are missing is that the ROM is actually separate from the ethernet chip. This is rather more obvious on an older card. The only connection between what is in the ROM and the ethernet hardware is the driver. Even if the ethernet chip generates the souce MAC address all it has to go on is what is in it's own registers.

It *is* compatible.

[Styx]

Read the howto