ndelo
12-06-2000, 10:48 AM
Is it possible with linux?
Click to See Complete Forum and Search --> : Stateful packet inspection
Fandelem
12-06-2000, 04:37 PM
what do you mean by stateful?
you can examine packets *very* closely with tons of (free) programs written in linux, if that is your question.
you can examine packets *very* closely with tons of (free) programs written in linux, if that is your question.
ndelo
12-06-2000, 05:45 PM
Maybe stateful is the wrong word. Specifically I am looking for something that will block all IP fragments belonging to, and based on the fragment ID of, the original, denied packet. Does masquerading accomplish this? Do ipchains accomplish this by themselves or do they just block packets based on port# and protocol type?
Fandelem
12-06-2000, 06:36 PM
You might want to look into:
http://freshmeat.net/projects/iplog/?highlight=ip+fragment
hope this helps,
~kyle
http://freshmeat.net/projects/iplog/?highlight=ip+fragment
hope this helps,
~kyle
Gus Brown
12-06-2000, 06:54 PM
"Stateful Inspection" is the buzz word associated with a feature of at least some routers available from Cisco (and perhaps others). Basically (very) it means packets passing on a given port are "inspected" for conformity with a "state" of data deemed normal for that port. If things don't seem as they should be, the port is closed on the fly.
Sorry I do not know of any soft Linux based solutions for this feature, but there could very well be some.
Sorry I do not know of any soft Linux based solutions for this feature, but there could very well be some.
stiles
12-07-2000, 04:02 AM
Yes, Firewall 1 (http://www.checkpoint.com/products/firewall-1/sysrequire.html) runs on linux (and it's performance (http://www.checkpoint.com/products/firewall-1/pbrief.html) is pretty good too). Get ready to fork over some bucks for that solution (this is the software running on the Cisco embeded firewalls if memory serves correctly).
Phoenix Adaptive Firewall (http://www.progressive-systems.com/products/phoenix/info.html) is another option, and a bit less expensive too.
The only opensource stateful packet firewall project I know of is Sinus (http://www.ifi.unizh.ch/ikm/SINUS/firewall/), but it appears to be unmaintained.
I've seen a user-space add-on to ipchains that does stateful inspection in debian (http://www.debian.org/distrib/packages).
Stateful inspection (or active inspection, or dynamic inspection, or yadda yadda) means that the firewall keeps state data, which is, information about past packets. It only needs to compare the first packet in a connection to the rule set. If all is good (with a packet), the "state" is added to an internal database. If a rule set for a service requires inspection of aplication data, then that is inspected also.
Phoenix Adaptive Firewall (http://www.progressive-systems.com/products/phoenix/info.html) is another option, and a bit less expensive too.
The only opensource stateful packet firewall project I know of is Sinus (http://www.ifi.unizh.ch/ikm/SINUS/firewall/), but it appears to be unmaintained.
I've seen a user-space add-on to ipchains that does stateful inspection in debian (http://www.debian.org/distrib/packages).
Stateful inspection (or active inspection, or dynamic inspection, or yadda yadda) means that the firewall keeps state data, which is, information about past packets. It only needs to compare the first packet in a connection to the rule set. If all is good (with a packet), the "state" is added to an internal database. If a rule set for a service requires inspection of aplication data, then that is inspected also.
Fandelem
12-07-2000, 04:29 AM
The sinus webpage looks like it was last updated 9/28/2000 - you sure they aren't currently developing it?
justlinux.com
Copyright Internet.com Inc. All Rights Reserved.
Copyright Internet.com Inc. All Rights Reserved.