For 2.2.x kernels, many of the options are the same, but a few new
ones have been developed. Many of the comments here are from
./linux/Documentation/Configure.help
, which is the same
document that is referenced while using the Help facility during
the make config
stage of compiling the kernel. Only the newly-
added options are listed below. Consult the 2.0 description for a
list of other necessary options. The most significant change in the
2.2 kernel series is the IP firewalling code. The ipchains
program is now used to install IP firewalling, instead of the
ipfwadm
program used in the 2.0 kernel.
For most people, it's safe to say no to this option. This option allows you to connect a user-space filter to any socket and determine if packets should be allowed or denied. Unless you have a very specific need and are capable of programming such a filter, you should say no. Also note that as of this writing, all protocols were supported except TCP.
Port Forwarding is an addition to IP Masquerading which allows some forwarding of packets from outside to inside a firewall on given ports. This could be useful if, for example, you want to run a web server behind the firewall or masquerading host and that web server should be accessible from the outside world. An external client sends a request to port 80 of the firewall, the firewall forwards this request to the web server, the web server handles the request and the results are sent through the firewall to the original client. The client thinks that the firewall machine itself is running the web server. This can also be used for load balancing if you have a farm of identical web servers behind the firewall.
Information about this feature is available from http://www.monmouth.demon.co.uk/ipsubs/portforwarding.html (to browse the WWW, you need to have access to a machine on the Internet that has a program like lynx or Netscape). For general info, please see ftp://ftp.compsoc.net/users/steve/ipportfw/linux21/
Using this option, user-space programs can attach a filter to any
socket and thereby tell the kernel that it should allow or disallow
certain types of data to get through the socket. Linux socket
filtering works on all socket types except TCP for now. See the
text file ./linux/Documentation/networking/filter.txt
for
more information.
The 2.2 kernel masquerading has been improved. It provides additional support for masquerading special protocols, etc. Be sure to read the IP Chains HOWTO for more information.