8.7 Packet Filtering with pfilter

pfilter is a firewall compiler. The pfilter package is used to control the packet filtering capabilities available in the Linux kernel. It takes in high-level firewall directives, and produces a complete firewall output commands file that can be turned on or off like other Linux services. Like other compilers, pfilter adds appropriate ``glue'' code to the compiled output. pfilter's added ``glue'' code consists of common things that are done by any good firewall, including turning on TCP networking protective features.

When OSCAR was installed, it merged any pre-existing server pfilter installation configuration into a new configuration, and created new client machine pfilter configurations. The resulting pfilter configurations do the following:

If the main OSCAR server has two or more network interfaces, pfilter will attempt to determine which network interface is the public interface, and then enable packet forwarding and network address translation for the remaining interfaces if it can.

pfilter is turned on by default - this is considered good ``defense in depth'' security for a cluster (see Section D for more information on cluster security). If for some reason you need to disable pfilter packet filtering (perhaps for debugging - disabling it permanently is not recomended), you can disable pfilter subsequent system boots with the following command:

  # chkconfig --level=2345 pfilter on

To turn on pfilter packet filtering immediately, execute the following command:

  # service pfilter start

For more information on how to use and configure pfilter, see the pfilter(8) and pfilter.conf(5) and pfilter.rulesets(5) man pages.

root 2002-11-08