I heard a rumor that someone was working on a
"stateful inspection module" as in extension to the
ipfw/masquerading code in the Linux kernel.
However I can't find any pointers to this.
I have a client whose paid for some custom code
(done by another party) of this sort and is willing
to contribute some of his code and sponsorship to
an existing Linux project -- if it is producing
something that meets his needs.
For those who are curious:
The ipfw (TCP/IP "Firewall" code) provides support for
packet filtering in the Linux kernel (2.x and later). This
allows one to configure a set of policies and rules for each
TCP/IP interface (ethernet card, SLIP or PPP link -- even
a PLIP link I suppose) -- so that the kernel will reject,
accept or deny (there are subtle differences between rejecting
and denying) any packet based on it source or destination address,
port, or certain flags or options. (People what want to know
more about packet filtering than that should read Cheswick &
Bellovin's Internet Firewalls book or the O'Reilly "Building
Internet Firewalls, by Brent Chapman and Elizabeth Zwicky).
The "masquerading" code provides support for "network address
translation" (NAT) which allows one to "hide" a set of
hosts (typically using RFC 1918 "private" IP addresses) behind a
single, multi-homed (meaning it has at least two IP interfaces)
host. The idea is that the masquerading host intercepts service
request from the "hidden" parties and acts as a transparent proxy.
This differs from SOCKS and other normal proxies in that it doesn't
require any knowlege on the part of the client (users or software).
Basically it looks like a router to the client and a really busy
host to all of the servers on the outside.
The concept of "stateful inspection" comes in when you realize
that normal packet filtering must make it's decision about each
packet (accept, reject or deny) purely based on the characteristics
of *that* packet. It has no history or concept of the TCP session.
If a packet claims to be part of an existing session or a fragment
of a larger packet -- the filtering software simply accepts that as
given (though the packet must fullfill all of that filter's set of
rules). Basically it wasn't possible to enforce a policy that the
initial packets by acknowleged or anything like that.
Stateful inspection means that the router (in this case the
Linux system with the ipfw rules) does maintain state information
that persists beyond a single packet's processing and throughout
the duration of a TCP session. (I gather that the term is
meaningless with regards to UDP -- which as no "sessions.")
Masquerading inherently must maintain state -- the host/router
must keep a table of which "hidden" host's requests were
redirected to which TCP/UDP port in order to know how to route
So, it is natural to believe that most of the code for doing
stateful inspection in ipfw already exists. It would seem to
be a matter of restructuring -- and a matter of adding more
parsing and logic to the ipfwadm package (the command which
allows an admin to configure the kernel's ipfw rule sets and
If anyone knows who is working on the stateful inspection for
Linux -- I would deeply appreciate a pointer or e-mail address.
Starshine Technical Services http://www.starshine.org
Key fingerprint = 2524E3FEF0922A84 A27BDEDB38EBB95A