IPFilter is software that provides stateful packet filtering, enabling firewall and Network Address Translation (NAT) functionalities.
Rules are set up to specify which packets are denied or permited through the firewall. Keywords can be used to distinguish which interface a packet is associated with (either as a destination or as a result of route processing or a packet's receipt location).
IPFilter can be configured to filter using several IP header fields (described below). These filters are set when the rules are established:
Source and/or destination IP address. Inverted hostnames and networks are also supported.
IP protocol. Individual protocols can be specified, or more broad protocols, such as TCP/UDP. IPFilter matches either of the two protocols.
Fragments. Fragmented packets can be selectively filtered out.
IP options. It is possible to select packets based on which options are present and which options are not present.
Port number. This is used with TCP/UDP IP protocols. Either the service name or the port number can be used.
IPFilter can also perform the following functions:
Send back an ICMP error or TCP reset for denied packets
Keep packet state information for TCP, UDP, and ICMP packet flows
Keep fragment state information for any IP packet
Act as a network address translator (NAT)
Use redirection to set up transparent proxy connections
Provide packet header details to user programs that use authentication information
A logging device is also available to track the functioning of IPFilter. This device supports logging of TCP/UDP/ICMP IP packet headers and the first 129 bytes of the packet when a packet is successfully passed through, when it is blocked and when a match is made for suspicious packets.
For a complete description of IPFilter functionality, see the IPFilter documentation and descriptions at http://coombs.anu.edu.au/ipfilter .
For a summary of IPFilter functionality and IRIX kernel information, see Chapter 2, “Setting Up IPFilter on IRIX Systems”.
For details about the command line tools used with IPFilter, see Chapter 3, “IPFilter Commands and Tools”.
|Note: IPFilter should not be run with ipfilterd (part of the SGI eoe.sw.ipgate release). See the release notes provided with IPFilter for details.|