Re: [SLUG] Linux Firewall CBAC feature

[Jean-Francois Dive <jef@xxxxxxxxxxx>]

I do confirm CBAC (simply called IOS firewall) is a basic statefull 
firewall (i mean a hack which dynamically open holes in an Access-list 
applied to the external interface for return traffic). The only thing to 
pay attention is that most of the images where you run CBAC on IOS (on a 
quite small router i believe) have IDS feature on top as well. Think 
about snort to have the same feature.

JeF

Howard Lowndes wrote:

> Thank you, in which case the answer to the original question is probably
> "Yes" with netfilter and stateful connections.
>
> On Tue, 6 Nov 2001, Jan Schmidt wrote:
>
> > <quote who="Howard Lowndes">
> >
> > > Well, if I knew what Cisco CBAC was then I might be able to answer the
> > > question, but no doubt someone else might elaborate.
> > I have (/had) no idea either, but from a quick googling:
> >
> > CBAC - Context Based Access Control
> > CBAC intelligently filters TCP and UDP packets based on application-layer
> > protocol session information. You  can configure CBAC to permit specified
> > TCP and UDP traffic through a firewall only when the connection is
> > initiated from within the network you want to protect. CBAC can inspect
> > traffic for sessions that originate from either side of the firewall, and
> > CBAC can be used for intranet, extranet, and Internet perimeters of your
> > network.
> >
> > ....... etc
> >
> > http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/secur_c/scprt3/scdcbac.htm#38192
> >
> >
> > Sounds a lot like netfilter's stateful connection tracking features.
> >
> > J.
> > --
> > Jan Schmidt                                  thaytan@xxxxxxxxxxxxxxxxx
> >
> > Have you been half-asleep? Have you heard voices?
> > I've heard them calling my name...
> > -Kermit the Frog (Rainbow Connection)