---

Home Security

Security Portal: Firewalling with IPF

By

IPF is the standard firewall for most BSD platforms, and
works on a variety of other operating systems, such as Solaris,
IRIX and earlier versions of Linux. The main advantage (there are
other advantages too) of IPF over most run of the mill OpenSource
packet filters is that it is stateful. The majority of packet
filters, like IPFWADM and IPCHAINS are not stateful, that is to say
they don’t know anything about the packet beyond it’s source IP /
port, and destination IP / port. They cannot for example keep track
of outbound telnet connections, and only allow the returning
packets in. Stateless packet filters work relatively well, but in
order to enable certain protocols properly (such as DNS or FTP) you
need to punch big holes in your firewall (the alternative of course
would be to use proxy servers, but this is not always
practical).

“The first thing to do of course is get and install IPF, it
comes with most BSD systems, and is quite popular in Solaris as
well. Unfortunately the support for Linux seems to have lapsed with
the 2.2 kernels, but if you’ve got a Linux firewall still running
2.0.X you might want to give IPF a spin. If IPF didn’t ship with
your system you will need to compile support into the kernel,
create the user space tools, luckily the install documentation that
comes with IPF is pretty specific and simple to follow….”

“IPF behaves differently then many firewall packages, which can
be a bit confusing at first. Like most firewall packages it reads
its ruleset from top to bottom, however (without the “quick”
keyword) it does not immediately drop or pass a packet when it
meets a rule that applies to it, instead it remembers what the
current status of the packet is (pass or block) so the last rule to
apply to it in the list is what decides will happen. You can of
course emulate simple firewall behavior by using the “quick”
keyword, in which case the packet is immediately blocked or passed.
Needless to say this can create some very complex rulesets, so I
would advise using the “quick” keyword sparingly. All my examples
are based on an OpenBSD 2.6 box (it shouldn’t matter but I thought
I’d mention it anyways), with the external interface being “ne3”
(an NE2000 PCI card) and the internal card “vr0″ (a Realtek
something or other 10/100 card).”

Complete
Story

Get the Free Newsletter!

Subscribe to Developer Insider for top news, trends, & analysis

Must Read

LinuxToday is a trusted, contributor-driven news resource supporting all types of Linux users. Our thriving international community engages with us through social media and frequent content contributions aimed at solving problems ranging from personal computing to enterprise-level IT operations. LinuxToday serves as a home for a community that struggles to find comparable information elsewhere on the web.

Our Brands

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.