Security Portal: Linux Gets Stateful Firewalling - Introducing Netfilter (iptables)Jan 22, 2001, 08:48 (6 Talkback[s])
(Other stories by Jay Beale)
"The long-awaited Linux 2.4 kernel has been released and, for many of us in the Security community, this is a totally joyous occasion. This article explains the improvements and why you should be as excited as we are. It should be accessible and interesting to management types and techies...."
"The 2.4 kernel's packet filtering system, Netfilter, is Linux's first stateful firewall. Stateful firewalls represent a major technological jump in the intelligence of a firewall and are present in all serious Enterprise firewalling products. Among many enhancements, this "statefulness" allows Netfilter to block/detect many stealth scans that were previously undetected on Linux firewalls."
"It's also much easier to manage! Netfilter's architecture allows much easier and more powerful configuration of network address translation (NAT), transparent proxies, and redirection. This latter function allows for easier load-sharing server clustering, i.e., replacing one Web server transparently with four. Further, Netfilter blocks more DoS attacks by intelligently rate limiting user-defined packet types, allowing you to block attacks like SYN floods."
"Netfilter is a reimplementation of Linux's firewalling code, but remains very backward-compatible. This should shorten most organizations' migration time and keep the cost in time and training relatively low."