Linux Firewall Implementation Technology comparison (1)

A preface

This paper focuses on the difference between the different implementations of firewalls under Linux, taking IPChains, Iptables, checkpoint FW1 as an example.

Two basic concepts

2.0

Before I get to the point, I will devote a little space to some basic concepts. Although the terminology of firewalls hasn't changed much over the years, if you've only read some of the literature in the early 90, some of the concepts will still confuse you. Here are just a few of the most practical, they are not accurate definitions, I just try to make them easier to understand.

2.1 Packet Filtration:

A class of firewalls. In the 80 's there were papers to describe the system. Traditional packet filtering functions are often seen on routers, and specialized firewall systems typically add functional extensions, such as state detection. It determines whether to allow this packet to pass by checking the address, protocol, port, etc. of a single package.

2.2 Agent:

A class of firewalls. Working in the application layer, the feature is two times connection (between browser and proxy, proxy and Web server). If there are doubts about the principle, it is recommended to use sniffer to grasp the bag. The agent is not covered within this article.

2.3 Status Detection:

Also known as dynamic packet filtering, is in the traditional packet filtering function expansion, the earliest by checkpoint proposed. Traditional packet filtering can be difficult when encountering a protocol that takes advantage of dynamic ports, such as FTP. You have no way of knowing which ports need to be turned on, and if you use the original static packet filter, and you want to use the service, you need to implement all the possible ports open, which is often a very large scope, will cause unnecessary security problems. State detection checks the application information (such as the port and pass commands for FTP) to determine whether the port is allowed to be temporarily opened, and when the transfer ends, the port is immediately restored to a shutdown state.

2.4 DMZ demilitarized Zone:

For configuration management purposes, servers that need to be serviced outside the intranet are often placed on a separate network segment, which is the demilitarized zone. Firewalls typically feature three network adapters, which are typically connected to the intranet, the Internet, and the DMZ, respectively, when configured.

2.5

Because firewalls are geographically superior (often at the critical exit of the network), firewalls typically have features such as NAT, address camouflage, and VPN, which are not covered in this article.

Three detection points

3.0 Overview

Packet filtering needs to check IP packets, so it works at the network layer, intercepts IP packets, and compares them with user-defined rules.

3.1 IPChains

Excerpt from "3"

----------------------------------------------------------------

| Accept/lo Interface |

V REDIRECT _ |

--> C--> S--> ___--> D--> ~~~~~~~~-->|forward|----> ___-->

H a |input | e {Routing} | Chain | |output | ACCEPT