Re: IPChains vs Cisco IOS Packer Filters
On Thu, Apr 12, 2001 at 11:35:57AM -0700, Jeff Coppock wrote:
> IOS does packet filtering, it's not stateful in any way. You won't be losing anything by using ipchains. Depending on the system you run ipchains on and the router you use, you could get better performance with ipchains on a fast pentium for less money, and it sounds like you'd have more control over it.
>
Hmm, to some extend, cisco router IOS does support stateful packet filtering, using the established keyword in the access list, but the packet filtering options for Cisco IOS are limited, so looking into full blown packet filters would be a wise thing to do.
Personally I use OpenBSD and IPFilter as my firewall, so i'm a bit off topic, but IPFilter is available for Linux and is a stateful packet filter.
IPFilter is quite easy to configure and maintain.
http://www.ipfilter.org
Grtz,
Sander
> As for support, there's a lot of information about ipchains out there, just ask and you shall recieve.
>
> jc
>
> On Thu, Apr 12, 2001 at 09:52:19AM +0200, Eugene van Zyl wrote:
> > Hi,
> >
> > Can anyone tell me whether the Packet Filter on the Cisco IOS does statefull packet inspection ? and whether I'll be losing by replacing it with IPChains on Kernel 2.2.17?
> > Biggest reason being I know nothing about the Cisco IOS and it's also a leased router to which I don't have telnet or console access (only the ISP's net is allowed access to) and I keep on needing to alter rules and it's a bugger having to wait for the ISP to respond to requests :-(
> >
> > PS. What resources are availble on the net on configuring and running a Linux IPChains firewall ? (other that the HOWTO of course :-) )
> >
> > Thanks,
> > Eugene van Zyl
>
>
> --
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
>
Reply to: