“The long-awaited Linux 2.4 kernel has been released and, for
many of us in the Security community, this is a totally joyous
occasion. This article explains the improvements and why you should
be as excited as we are. It should be accessible and interesting to
management types and techies….”
“The 2.4 kernel’s packet filtering system, Netfilter, is Linux’s
first stateful firewall. Stateful firewalls represent a major
technological jump in the intelligence of a firewall and are
present in all serious Enterprise firewalling products. Among many
enhancements, this “statefulness” allows Netfilter to block/detect
many stealth scans that were previously undetected on Linux
firewalls.”
“It’s also much easier to manage! Netfilter’s architecture
allows much easier and more powerful configuration of network
address translation (NAT), transparent proxies, and redirection.
This latter function allows for easier load-sharing server
clustering, i.e., replacing one Web server transparently with four.
Further, Netfilter blocks more DoS attacks by intelligently rate
limiting user-defined packet types, allowing you to block attacks
like SYN floods.”
“Netfilter is a reimplementation of Linux’s firewalling code,
but remains very backward-compatible. This should shorten most
organizations’ migration time and keep the cost in time and
training relatively low.”