Chapter 6
Security
RUGGEDCOM ROX II
CLI User Guide
184 Firewall Concepts
• Section6.9.11, “Managing Hosts”
• Section6.9.12, “Managing Policies”
• Section6.9.13, “Managing Network Address Translation Settings”
• Section6.9.14, “Managing Masquerade and SNAT Settings”
• Section6.9.15, “Managing Rules”
• Section6.9.16, “Validating a Firewall Configuration”
• Section6.9.17, “Enabling/Disabling a Firewall”
Section6.9.1
Firewall Concepts
This section describes some of the concepts important to the implementation of firewalls in RUGGEDCOM ROX II.
CONTENTS
• Section6.9.1.1, “Stateless vs. Stateful Firewalls”
• Section6.9.1.2, “Linux netfilter”
• Section6.9.1.3, “Network Address Translation”
• Section6.9.1.4, “Port Forwarding”
• Section6.9.1.5, “Protecting Against a SYN Flood Attack”
• Section6.9.1.6, “Protecting Against IP Spoofing”
Section6.9.1.1
Stateless vs. Stateful Firewalls
There are two types of firewalls: stateless and stateful.
Stateless or static firewalls make decisions about traffic without regard to traffic history. They simply open a path
for the traffic type based on a TCP or UDP port number. Stateless firewalls are relatively simple, easily handling
Web and e-mail traffic. However, stateless firewalls have some disadvantages. All paths opened in the firewall are
always open, and connections are not opened or closed based on outside criteria. Static IP filters offer no form of
authentication.
Stateful or session-based firewalls add considerably more complexity to the firewalling process. They track the
state of each connection, look at and test each packet (connection tracking), and recognize and manage as a
whole traffic from a particular protocol that is on connected sets of TCP/UDP ports.
Section6.9.1.2
Linux netfilter
Netfilter, a subsystem of the Linux kernel, is a stateful firewall that provides the ability to examine IP packets on a
per-session basis.
Netfilter uses rulesets, which are collections of packet classification rules that determine the outcome of the
examination of a specific packet. The rules are defined by iptables, a generic table structure syntax and utility
program for the configuration and control of netfilter.
To Next Page
Loading...
Need help?
General
