216 lines
3.6 KiB
HTML
216 lines
3.6 KiB
HTML
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
|
|
<HTML
|
|
><HEAD
|
|
><TITLE
|
|
>( IPTABLES vs. IPCHAINS vs. IPFWADM ) - Why do the 2.4.x, 2.2.x,
|
|
and 2.0.x kernels use different firewall systems?</TITLE
|
|
><META
|
|
NAME="GENERATOR"
|
|
CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
|
|
REL="HOME"
|
|
TITLE="Linux IP Masquerade HOWTO"
|
|
HREF="index.html"><LINK
|
|
REL="UP"
|
|
TITLE="Frequently Asked Questions"
|
|
HREF="faq.html"><LINK
|
|
REL="PREVIOUS"
|
|
TITLE="( IPCHAINS rulesets on 2.4.x kernels ) - What the ipchains.o module can
|
|
do on 2.4.x kernels"
|
|
HREF="ipchains-on-2.4.x.html"><LINK
|
|
REL="NEXT"
|
|
TITLE="( Upgrades ) - I've just upgraded to the x.y.z kernel, why isn't IP
|
|
Masquerade working?"
|
|
HREF="upgrades.html"></HEAD
|
|
><BODY
|
|
CLASS="SECT1"
|
|
BGCOLOR="#FFFFFF"
|
|
TEXT="#000000"
|
|
LINK="#0000FF"
|
|
VLINK="#840084"
|
|
ALINK="#0000FF"
|
|
><DIV
|
|
CLASS="NAVHEADER"
|
|
><TABLE
|
|
SUMMARY="Header navigation table"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TH
|
|
COLSPAN="3"
|
|
ALIGN="center"
|
|
>Linux IP Masquerade HOWTO</TH
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="left"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="ipchains-on-2.4.x.html"
|
|
ACCESSKEY="P"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="80%"
|
|
ALIGN="center"
|
|
VALIGN="bottom"
|
|
>Chapter 7. Frequently Asked Questions</TD
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="right"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="upgrades.html"
|
|
ACCESSKEY="N"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"></DIV
|
|
><DIV
|
|
CLASS="SECT1"
|
|
><H1
|
|
CLASS="SECT1"
|
|
><A
|
|
NAME="IPTABLES-VS-IPCHAINS-VS-IPFWADM"
|
|
></A
|
|
>7.41. ( IPTABLES vs. IPCHAINS vs. IPFWADM ) - Why do the 2.4.x, 2.2.x,
|
|
and 2.0.x kernels use different firewall systems?</H1
|
|
><P
|
|
>IPTABLES supports the following features that IPCHAINS and IPFWADM doesn't:</P
|
|
><P
|
|
> <P
|
|
></P
|
|
><UL
|
|
><LI
|
|
><P
|
|
> Stateful IPv4 protocol and application tracking
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> Stateful IPv6 protocol tracking
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> True 1:1 and 1:Many NAT
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> Built-in PORTFW functionality
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> See the <A
|
|
HREF="kernel-2.4.x-requirements.html"
|
|
>Section 2.6</A
|
|
> section for
|
|
more details
|
|
</P
|
|
></LI
|
|
></UL
|
|
> </P
|
|
><P
|
|
>IPCHAINS supports the following features that IPFWADM doesn't:</P
|
|
><P
|
|
> <P
|
|
></P
|
|
><UL
|
|
><LI
|
|
><P
|
|
>"Quality of Service" (QoS support)</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
>A TREE style chains system vs. LINEAR system like IPFWADM (Eg. this allows
|
|
something like "if it is ppp0, jump to this chain (which contains its own
|
|
difference set of rules)"</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
>IPCHAINS is more flexible with configuration. For example, it has the "replace"
|
|
command (in addition to "insert" and "add"). You can also negate rules (e.g.
|
|
"discard any outbound packets that don't come from my registered IP" so that
|
|
you aren't the source of spoofed attacks).</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
>IPCHAINS can filter any IP protocol explicitly, not just TCP, UDP, ICMP</P
|
|
></LI
|
|
></UL
|
|
> </P
|
|
></DIV
|
|
><DIV
|
|
CLASS="NAVFOOTER"
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"><TABLE
|
|
SUMMARY="Footer navigation table"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="ipchains-on-2.4.x.html"
|
|
ACCESSKEY="P"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="index.html"
|
|
ACCESSKEY="H"
|
|
>Home</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="upgrades.html"
|
|
ACCESSKEY="N"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
>( IPCHAINS rulesets on 2.4.x kernels ) - What the ipchains.o module can
|
|
do on 2.4.x kernels</TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="faq.html"
|
|
ACCESSKEY="U"
|
|
>Up</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
>( Upgrades ) - I've just upgraded to the x.y.z kernel, why isn't IP
|
|
Masquerade working?</TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
></BODY
|
|
></HTML
|
|
> |