Many Unix systems, including Linux, FreeBSD, OpenBSD, and the like, come with packet filtering packages. They require special kernel options and modules to be built in, but because security has become so important, these options and modules are almost always built into the default system install.
Here we'll talk about Linux's ipchains software. Then we'll take a look at FreeBSD's IPFW tool kit. It's important to note that ipchains, iptables, and IPFW are all "userspace" programs.
That means that the programs run and reside in memory designated for programs run by the users as opposed to those run by the system kernel. The actual packet filtering is done by the system kernel itself. These programs should be thought of as user interfaces to the kernel's packet filtering capabilities....
Ipchains
Ipchains is the first packet filter we'll discuss. Ipchains was originally based on a tool called ipfwadm, a Linux spawn of BSD's IPFW, which we'll discuss shortly. The idea behind ipchains was to create chains of rules for a packet to traverse. At any point in a chain, the packet could be passed on or denied. Ipchains has all but been replaced by iptables for Linux kernels running the 2.6 series; however, it may be included in most Linux distributions along with iptables. It is a good starting point for our first look at firewall packages, and it also gives us an example of a stateless firewall.
To use ipchains, all you need is a Linux box with the proper options compiled into the kernel. You can tell if your kernel has ipchains support if the file /proc/net/ip_fwchains exists.
Most current Linux installs will have these options built in, but earlier Linux installs may need to be modified. Unfortunately, we can't go into detail here about how to build a Linux kernel; numerous Internet resources are available on building kernels for firewall support. You can check out the ipchains man page or visit the following web pages for more details: http://www.tldp.org/HOWTO/IPCHAINS-HOWTO.html.
You'll also need to make sure that the file /proc/sys/net/ipv4/ip_forward contains the value 1 if you want to be able to forward packets from one network to the other. You can type echo 1 > /proc/sys/ net/ipv4/ip_forward as root to make sure that your firewall is ready to forward packets.
Ipchains is a user interface to the kernel's packet filtering capabilities. All of the actual packet examination gets done in the kernel's memory space. The ipchains program simply dictates the rules to the kernel. Unfortunately, this means the kernel will forget your rules any time the system is rebooted. Thankfully, you can use the tools ipchains-save and ipchains-restore to make a dump of the current ipchains rules in use and restore them after a reboot.
