From: Philip Reynolds (phil at domain redbrick.dcu.ie)
Date: Tue 25 Jul 2000 - 15:50:08 IST
Paul Jakma's [paulj at domain itg.ie] 24 lines of dribble included:
:>On Tue, 25 Jul 2000, Philip Reynolds wrote:
:>well i'm not too well up on ipfilter, so i wasn't going to claim that
:>ipchains could do everything it did for fear of reprisals. :)
Well you stated there were some things ipchains did that ipfilter didn't, I
was curious.
:>ipfilter does do tcp connection tracking though, which ipchains doesn't.
:>(however blocking incoming syn's with ipchains gives you more or less the
:>same amount of protection).
Yeh, ipchains -I input -p tcp ! -y -j ACCEPT is about the cloest thing you're
going to get ipfilters tracking system. It doesn't keep track of established
connections, and so you can't get it to check if the packet if actually part
of the already established connection. Seems the best you can do is check it's
not the start of a new one.
:>> Ipfilter doesn't work with a glibc system.
:>> http://coombs.anu.edu.au/~avalon/ipfilfaq.html#Linux
:>>
:>
:>so am i correct in thinking that ipfilter isn't maintained
:>anymore?
For Linux, yes, or it would seem so anyways. It currently ships by default
with FreeBSD and OpenBSD, so I would assume it's maintained.
Phil.
This archive was generated by hypermail 2.1.6 : Thu 06 Feb 2003 - 13:06:59 GMT