Lately I've been reading some guides on Firewalls/Packet Filters (Using IPTables, etc.)...What I don't get is what is different between a Firewall and a Packet Filter. I've always been under the assumption that a Packet Filter _is_ a firewall...

I've also read somewhere that a Packet Filter is easier to breakin/get past than a firewall....

basically, what kind of filtering and differences are there on a firewall than there is packet filtering....as i said, ive always thought the two were basically the same.

The word firewall has been so generically applied that it gets confusing reading reviews and such.

There are three main approaches to firewalling:

1. Packet filter - this simply compares the address and port info of a packet against a set of rules. example: allow incoming port 80.

2. Stateful Packet Inspection - this is the same as the above, but it maintains a table in memory of the 'state' of connections. Works in layer4 (if you're a OSI guy) mostly but will have a peak into Layer 7 (application layer) when a session is started. This makes several sorts of 'spoof attacks' fail, where they coiuld possibly succeed against a 'dumb' packet filter. All ICSA devices fall into this category.

3. Application proxies - these are the most secure but they are a lot slower. All traffic (Layer 7) is inspected, You could allow or disallow a specific command in ftp ( you could disable cd for example). The disadvantage here is that you need a proxy for every service (ftp, http, etc, each get their own), well the speed can be a problem depending on the service and traffic.

skye

Well so far this is my rc.firewall, hehe:

thats all thats in there...so i guess i have two out of three of your points above?

You are using stateful inspection. It's actually the same as #1 except that it relies on the state table rather than on packet headers.

If you do not understand howto setup a good iptables firewall, there is a generator at hideaway.net that makes decent firewalls. You put in your information about your network, and then tell the script what you want to do, and it generates one for you. I liked these firewalls when I was starting with IPtables, but when you need to get very advanced you will have to write you own.

get this book: "Linux Firewalls" by Robert Ziegler

tis pretty cool IMO...

cant find it can you send the full url

I dont agree that a packet filter is easier to break in than a true firewall device (also packet filtering). THere are so many variables in this its hard to answer ...

The difference between a packet filter and a true firewall per say is the firewall will keep track of outgoing connections and allow the established connections to return and filter inbound connections to specific addresses and ports ... a packet filter normally is filtering inbound (or outbound) connections and thats it ... just a basic filter. So, is one more secure than the other ... both can be vulnerable depending on what device and operating system the firewall/filter is running ... and also how they are configured. However, the most important factor in the port you have opened up to the resource you want to protect! Once you open up a port ... then it becomes an issue with the device residing behing the firewall/filter .... follow me?

Hey all, I'm no hardcore security and all... this is also my first attempt at actually helping someone with my "knowledge" so I am a bit apprehensive... but here's my thought anyway.

I don't klnow if it's any good but Bastille has the ability to create a firewall for your based on the input that you provide... I don't know if that is any help, or if it's even any good. Maybe someone can actually tell me the answer to that one...