Classnotes | UNIX03 | RecentChanges | Preferences Linux kernels have had packet filtering since the 1.1 series. In late 1994, kernel hacker Alan Cox ported the firewalling funtionality of ipfw from BSD into Linux. There has been much debate as to the legallity of this (as, in doing so, he took code copyrighted under the FreeBSD license and re-copyrighted it under the GPL) but there was never any pursuing of this question and the code was replaced soon enough.
In mid-1998, Rusty Russell set about reworking much of the networking under the Linux kernel in the 2.1 development series and introduced the userspace tool ipchains. The Linux kernel previous to this had some very serious shortcomings with respect to certain networking functionality. From Rusty Russell's IPCHAINS-HOWTO (circa 1999):
The older Linux firewalling code doesn't deal with fragments, has 32-bit counters (on Intel at least), doesn't allow specification of protocols other than TCP, UDP or ICMP, can't make large changes atomically, can't specify inverse rules, has some quirks, and can be tough to manage (making it prone to user error).
Russell's work radically redefined the Linux networking layer and allowed packet filtration to be moved from kernelspace into userspace (making it easier to use, setup, and keep secure).
Finally, the fourth-generation tool, `iptables', and another kernel rewrite occurred in mid-1999 for Linux 2.4. This continued the refining that began in 2.2, and augmented Linux's arsenal of networking tools. The kernel rewrite is known as Netfilter, and has it's own homepage that can be found here: http://www.netfilter.org/
Unfortunately (or fortunately) there is no POSIX-like standard for packet filtering under UNIX systems. As a result, there is a wealth of different tools to accomplish the same general job across each UNIX.
Here are some filters that run on other UNIXes (even some that run on Linux) to get you started if you need to run a packet filter on a platform other than Linux:
