LinuxSecurity.com: Linux Kernel 2.4 Firewalling Matures: netfilter

“In yet another set of advancements to the kernel IP packet
filtering code, netfilter allows users to set up, maintain, and
inspect the packet filtering rules in the new 2.4 kernel. This
document explains those changes and tips on how to get
started.”

“The netfilter subsystem is a complete rewrite of previous
packet filtering implementations including ipchains and ipfwadm.
Netfilter provides a large number of improvements, and it has now
become an even more mature and robust solution for protecting
corporate networks.”

“Netfilter provides a raw framework for manipulating packets as
they traverse through various parts of the kernel. Part of this
framework includes support for masquerading, standard packet
filtering, and now more complete network address translation. It
even includes improved support for load balancing requests for a
particular service among a group of servers behind the
firewall.”

“The stateful inspection features are especially powerful.
Stateful inspection provides the ability to track and control the
flow of communication passing through the filter. The ability to
keep track of state and context information about a session makes
rules simpler and tries to interpret of higher-level
protocols.”

Complete Story