IPFilter 4.1: questions

This is a discussion on IPFilter 4.1: questions within the IPFilter forums, part of the System Security and Security Related category; Darren, First of all..Great work on this new release! I see the following in the WhatsNew file and have ...


Go Back   Usenet Forums > System Security and Security Related > IPFilter

Reload this Page IPFilter 4.1: questions

FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply

 

LinkBack Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old 02-12-2004
Guido van Rooij
 
Posts: n/a
Default IPFilter 4.1: questions
Darren,

First of all..Great work on this new release!

I see the following in the WhatsNew file and have a couple of questions.
Some of them are easily answered by reading the code, yet in this way
I have at least identified a number of options.


- IP-Filter framework in place for handling multiple different
types of packet matching for firewalling.
What do you mean with that?

- Can convert IPv4 ipf rules into C code and either:
* load them as an LKM o;
* compile them statically into the kernel (where possible.)
Do you have measurements.guestimates on the performance gain?

- NAT/ipf rules can refer to each other via a tag, creating an implied
join that forms part of the packet matching.
How does this work? Can you give an example?
I do see "tag" for ip_nat, and "match_tag" and "set_tag" in ipf, but
don't understand what it means.


- Extra packet attributes available for filter rules:
* source address/routing interface mismatch;
How do you specify this? ("bad-src"? is so -> what is "bad" )
* multicast (3);
Is this "multicast"
* broadcast (2,3);
I take it this is "bcast"?
What is "mbast"? is it broadcast or multicast?
* state lookup partially failed;
How do you specify this? And what exactly does it mean?
* out of the TCP window for a state connection;
Is this "oow" ?
* NAT lookup partially failed.
is this "bad-nat" ?
What is "nat"?
- PPS (packets per second) matching available for ipf rules.
This is "pps" ?


- Rule collections (cf FreeBSD numbering) supported for ipf rules.
What do you mean with that?

Stateful Inspection:
- Can insist that all TCP data arrives in order.
This is specified with "keep state (strict)" right?
- Can insist that all fragments pass through in order.
This is specified with "keep frag (strict)" right?
- The number of states created per-rule can be set where the total
across all rules may exceed the maximum allowed.
may exceed -> may not exceed, I take it?
This is specified with "keep state (limit 10)" right?

- Can elect not to automatically match ICMP error packets.
This is specified with "keep state (noicmperr)" right?
- TCP sequence number rewriting supported.
This is specified with "keep state (newisn)" right?

And combining these one can have:
keep state (newisn, limit 100, strict)

-Guido

ps: this stuff for sure does not yet compile on FreeBSD 5 later releases
(FreeBSD_version >= 501113)
I'll send patches either later today or tomorrow.

Reply With Quote
Reply
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT +1. The time now is 05:24 PM.

Contact Us - Usenet Forums - Archive - Top

Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.0.0