SLUG Mailing List Archives
Re: [SLUG] Linux Firewall CBAC feature
- To: Howard Lowndes <lannet@xxxxxxxxxxxxx>
- Subject: Re: [SLUG] Linux Firewall CBAC feature
- From: Jean-Francois Dive <jef@xxxxxxxxxxx>
- Date: Tue Nov 6 08:57:02 2001
- Cc: Jan Schmidt <thaytan@xxxxxxxxxxxxxx>, slug@xxxxxxxxxxx
- Reply-to: jef@xxxxxxxxxxx
- User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.4) Gecko/20011019 Netscape6/6.2
I do confirm CBAC (simply called IOS firewall) is a basic statefull
firewall (i mean a hack which dynamically open holes in an Access-list
applied to the external interface for return traffic). The only thing to
pay attention is that most of the images where you run CBAC on IOS (on a
quite small router i believe) have IDS feature on top as well. Think
about snort to have the same feature.
Howard Lowndes wrote:
Thank you, in which case the answer to the original question is probably
"Yes" with netfilter and stateful connections.
On Tue, 6 Nov 2001, Jan Schmidt wrote:
<quote who="Howard Lowndes">
Well, if I knew what Cisco CBAC was then I might be able to answer the
question, but no doubt someone else might elaborate.
I have (/had) no idea either, but from a quick googling:
CBAC - Context Based Access Control
CBAC intelligently filters TCP and UDP packets based on application-layer
protocol session information. You can configure CBAC to permit specified
TCP and UDP traffic through a firewall only when the connection is
initiated from within the network you want to protect. CBAC can inspect
traffic for sessions that originate from either side of the firewall, and
CBAC can be used for intranet, extranet, and Internet perimeters of your
Sounds a lot like netfilter's stateful connection tracking features.
Jan Schmidt thaytan@xxxxxxxxxxxxxxxxx
Have you been half-asleep? Have you heard voices?
I've heard them calling my name...
-Kermit the Frog (Rainbow Connection)