Új IP Filter

Hír

Darren Reed hosszú csipkerózsika álmából magához térve bejelentette az IP Filter következő, 4.1-es verzióját.

Aki követte az IPF fejlődését, tudhatja, hogy Darren, még az OpenBSD pf megjelenése előtt nagyon ígérgette a redundáns működést, amelyről azóta nem igen lehetett hallani.

A 4-es verzióban úgy tűnik ez a funkció is működőképes már. A másik meglepetés az, hogy Darren szerint hamarosan elérhető lesz programja Linuxra is.Újdonságok a 3.x-es szériához képest:


Administration:

  • Run-time support for modifying ipf table size parameters.
  • Run-time support for tuning other ipfilter parameters.

Content Scanning:

  • Simple matching of content for TCP session startup.

Firewall Synchronising:

  • Master/slave programs available.

General:

  • All input files allow simple 'macro' definitions and expansion,
    including nesting.
  • Code has been rototilled to make maintenance and enhancements
    eaiser for me and you.
  • More configuration files and binaries.
  • Takes up more memory.
  • Probably slower.
  • Versioned API to support changes in the ABI without breaking
    existing binaries (4.0 onward only.)
  • IP-Filter framework in place for handling multiple different
    types of packet matching for firewalling.
  • IP Id number rewriting available.
  • Verification of checksums for recognised packet types.
  • Optionally enable/disable IP forwarding when enabled/disabled.

IPF:

  • BPF syntax available for matching packets in ipf rules (1).
  • Can convert IPv4 ipf rules into C code and either:

    * load them as an LKM o;

    * compile them statically into the kernel (where possible.)
  • Address pools allow for simpler rules covering large numbers of
    addresses/networks (IPv4 only).
  • Lookup functions available to map an IPv4 address to a group.
  • Groups can be referenced by multiple heads for subroutine-like use.
  • NAT/ipf rules can refer to each other via a tag, creating an implied
    join that forms part of the packet matching.
  • Extra packet attributes available for filter rules:

    * source address/routing interface mismatch;

    * multicast (3);

    * broadcast (2,3);

    * state lookup partially failed;

    * out of the TCP window for a state connection;

    * NAT lookup partially failed.
  • PPS (packets per second) matching available for ipf rules.
  • Rule collections (cf FreeBSD numbering) supported for ipf rules.
  • Groups can now be names rather than just numbers

IPV6:

  • understands extension headers.
  • can filter on extension headers.

Logging:

  • ipmon now comes with a configuration file for more advanced logging
    behaviour.
  • Can append arbitrary logging tags with ipf rules for easy matching.

NAT:

  • "sticky" mapping available to ensure an address translation on
    a per-address basis is always the same (while known) for a set
    IP address.

Operating System Support:

  • HP-UX 11 added.
  • Tru64 5.1a added.
  • Solaris/HP-UX now use pfil STREAMS module.
  • Linux 2.4 on the way.

Proxies:

  • PPTP proxy added.
  • IRC proxy added.
  • RPCBIND proxy added.
  • FTP proxy support for EPSV (IPv4 only.)

Stateful Inspection:

  • Can insist that all TCP data arrives in order.
  • Can insist that all fragments pass through in order.
  • The number of states created per-rule can be set where the total
    across all rules may exceed the maximum allowed.
  • Can elect not to automatically match ICMP error packets.
  • TCP sequence number rewriting supported.

( godot v | 2004. 02. 22., v – 14:47 )

Jól látom, hogy transzparens proxyk is járnak hozzá, vagy csak a lehetőség van meg a használatukra.???


Üdv

Godot

( uid_228 | 2004. 02. 23., h – 10:08 )

Engem csak az érdekelne, hogy a beépítést Linuxba hogyan képzeli el? Annak idején az OpenBSD-ből Theo pont a licence miatt dobta ki, ami ha jól emlékszem se nem BSD, se nem GPL.