Firewall Wizards mailing list archives

Re: IPChains vs. IPTables

From: Volker Tanger <volker.tanger () discon de>
Date: Thu, 25 Jul 2002 09:21:58 +0200

Greetings!

Josh Welch wrote:

From: "Patrick Darden" <darden () armc org>
 >
> IPTables allow content inspection (making sure port 80 traffic is> web, 21 is ftp, etc.), making it a little better than a mere packet

>  > filter.

> Truthfully, though, with tunnelling, if you don't have tight access> lists then allowing any protocol access is just as secure via

>  > packet filtering as packet inspection.  Loki uses icmp;
>  > then there's ssl tunneling, ssh, and hosts of others....

 >

IPTables does not , to my understanding, do content inspection. It does
state inspection, which IPChains does not, but does not check content. How
would you check content with IPTables?.

There are some first (pre-alpha) patches for IPtables (2.5 kernel) thatlay a foundation for packet data insprection. The "normal" IPtables onlyis a stateful (not inspection) packet filter, whereas IPchains only is astatic (dumb) packet filter. For a detailed overview see

http://www.wyae.de/secure_gateway/gateways.html

Bye

Volker Tanger
IT-Security Consulting

--
discon gmbh
Wrangelstraße 100
D-10997 Berlin

fon    +49 30 6104-3307
fax    +49 30 6104-3461

volker.tanger () discon de
http://www.discon.de/


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

IPChains vs. IPTables Marc DVer (Jul 24)
- Re: IPChains vs. IPTables Patrick Darden (Jul 24)
  - Re: IPChains vs. IPTables Josh Welch (Jul 24)
    - Re: IPChains vs. IPTables Volker Tanger (Jul 25)
    - Re: IPChains vs. IPTables Nimesh Vakharia (Jul 29)
- Re: IPChains vs. IPTables Martin A. Brown (Jul 24)
- Re: IPChains vs. IPTables firewall-wizards (Jul 24)
- Re: IPChains vs. IPTables Brian Hatch (Jul 24)