Security Portal: Firewalling with IPFFeb 17, 2000, 01:45 (3 Talkback[s])
(Other stories by Kurt Seifried)
"IPF is the standard firewall for most BSD platforms, and works on a variety of other operating systems, such as Solaris, IRIX and earlier versions of Linux. The main advantage (there are other advantages too) of IPF over most run of the mill OpenSource packet filters is that it is stateful. The majority of packet filters, like IPFWADM and IPCHAINS are not stateful, that is to say they don't know anything about the packet beyond it's source IP / port, and destination IP / port. They cannot for example keep track of outbound telnet connections, and only allow the returning packets in. Stateless packet filters work relatively well, but in order to enable certain protocols properly (such as DNS or FTP) you need to punch big holes in your firewall (the alternative of course would be to use proxy servers, but this is not always practical).
"The first thing to do of course is get and install IPF, it comes with most BSD systems, and is quite popular in Solaris as well. Unfortunately the support for Linux seems to have lapsed with the 2.2 kernels, but if you've got a Linux firewall still running 2.0.X you might want to give IPF a spin. If IPF didn't ship with your system you will need to compile support into the kernel, create the user space tools, luckily the install documentation that comes with IPF is pretty specific and simple to follow...."
"IPF behaves differently then many firewall packages, which can be a bit confusing at first. Like most firewall packages it reads its ruleset from top to bottom, however (without the "quick" keyword) it does not immediately drop or pass a packet when it meets a rule that applies to it, instead it remembers what the current status of the packet is (pass or block) so the last rule to apply to it in the list is what decides will happen. You can of course emulate simple firewall behavior by using the "quick" keyword, in which case the packet is immediately blocked or passed. Needless to say this can create some very complex rulesets, so I would advise using the "quick" keyword sparingly. All my examples are based on an OpenBSD 2.6 box (it shouldn't matter but I thought I'd mention it anyways), with the external interface being "ne3" (an NE2000 PCI card) and the internal card "vr0" (a Realtek something or other 10/100 card)."