D..4 Host based packet filtering

Like router packet filtering, host based network packet filtering involves examining each packet and deciding what do do with it. But with host based filtering, each machine individually filters the network packets going to, from, or through it. Linux kernels from 2.4 on include support for connection tracking and ``statefull'' packet filtering, which keeps track of ongoing network connections, allowing better filtering decisions to be made based on whether packets are part of an already allowed connection.

The problem with packet filtering is that it requires generating filtering ``rulesets'' that the iptables or ipchains programs interpret and store in the running kernel. Creating these rulesets is similar to writing software in assembly language. There are now higher level ``languages'' and compilers that can be used to generate the rulesets and provide firewalls. OSCAR installs a ruleset compiler/firewall package called pfilter. For more information, see the http://pfilter.sourceforge.net/.



root 2002-11-08