Jul 25 2011   5:18PM GMT

Improved Network Security

Posted by: Eric Hansen
3.0, firewall, improvements, ipset, iptables, linux, network, security, tcp

With Linux 3.0 coming up around the corner, I thought it would be good to discuss some (possible) future improvements and additions to the kernel.  While this is already in the 2.8 branch (which was created before the official 3.0 was announced), it’ll be interesting to see what is carried over.  One of the first things that caught my eyes was not so much a new feature, but a plugin that’s becoming a standard inside of the kernel itself, IPSets.

Originally, IPSets started off as a plug in for iptables.  It allowed for dynamic updating and easier creation, management, etc… of white and blacklists.  As this has been in the works since the 2.4 branch, the list of supported methods is not exactly short, with about 12 different types of sets someone can create, each with pros and cons, it’s kind of hard to imagine this not fitting at least some needs.  Also, according to Linux Format’s latest issue (August 2011, pg. 8), some modifications to the TCP code yields 10 percent better network latency (this isn’t exactly stated as being directly due to the implementation of ipset, but interesting none the less).

While I have not used this personally, I can see a lot of benefits of doing so, and will report back on results after installing the module and seeing how beneficial it is to my home network.  If all goes according to plan, this will be based on both Arch Linux and Ubuntu, latest releases for both.

You can visit the official homepage of ipset here: http://ipset.netfilter.org/