Re: where the people are using iptables
On Thu, May 06, 2004 at 09:40:25AM +0200, Yasar Arman wrote:
> On Wed, 5 May 2004, David Fokkema wrote:
> > Basically, this means that every linux based firewall, whether it be
> > graphical point-and-click interfaces, or script generating firewalls or
> > whatever, they all use iptables to install their rules into the kernel.
> Thats not true. There are some closed-source Firewalls out there (e.g.
> Checkpoint FW-1) which have their own filters.
> What you mean is, that many of the GUI/script firewall Implementations
> (e.g. SuSEfirewall, firehol, firestarter, astaro, etc) are
> just frontends for iptables/netfilter.
just to make it really clear, iptables/netfilter is not the firewall,
it is a packet filter. it inspects packet sorce, destination, ports
(and of course much more), and denies or accepts traffic. all it does
is based on information gathered from packet header structure,
not the data portion of it.
however, firewalls are applications which do inspect the data portion
of the packets, i.e. they do ensure that what is going through port 80
really _is_ http traffic, and port 22 is the _ssh_ traffic. so no one
of internal staff, even if allowed to run http server on his/her office
computer, is able to install some kind of redirector and pipe the ssh
traffic through allowed port 80. iptables - as a packet filter - will
accept any matching traffic (dst port 80) to go inside, while the firewall
would stop it (and buz the fw admin etc).