Linux Firewalls provides a good introduction to packet filtering and netfilter/iptables. The book's first chapter quickly covers the aspects of TCP/IP that are most relevant for someone implementing a packet filtering firewall. The fundamentals of how a packet filter and netfilter work come next. I consider these first chapters to be the strongest part of the book, they are well structured, clear and to the point.

The book then follows with an example for a simple home firewall, discusses rule optimization and gives some more advanced scenarios for a gateway, with several possibilities for how to organize a DMZ, while covering packet forwarding. These chapters are generally good but not as good as the first ones. There's a chapter on NAT, that I though was very good. Understanding when the source and destination addresses get changed and how this relates to the other chains can be tricky and the book really nails it. The final chapter directly related to firewalls, about debugging, is a mixed bag. I found it unnecessarily extensive, going on and on about basic and obvious things, such as explaining how to read a listing of the firewall rules.

The last chapters are related to other security technologies such as intrusion detection, monitoring, filesystem integrity and kernel enhancements. While some parts of it do provide useful information they feel like rushed filler material, especially considering that more advanced iptables related topics are neglected. As an example, in the last chapter the author says that first he will present a recipe style introduction to Grsec and then explain some features in more depth. The more in depth explanations are nowhere to be seen, however. There a couple more places where similar glitches are found.

Two important things related to packet filtering and iptables are missing in the book. There's no coverage of advanced logging. The ULOG target is just mentioned and a tool like syslog-ng that would allow you to use the LOG target and still filter logging into different files is not even mentioned. More importantly, connection state tracking, the part that allows netfilter to call itself a stateful firewall, doesn't have adequate coverage. The author says that even using a stateful firewall, rules that cover the case of the state tables getting full are still needed. I disagree with this, especially in the case of a dedicated firewall machine, where you have a lot of memory to spare and can allocate a lot of it for state tracking. Keeping a simple ruleset is extremely important and being able to rely on state tracking really helps in achieving that. How the state tracking works is superficially explained. Things such as seeing how many entries are being used or its internal state are missing. I don't know if this is because at the time the book was written there was less kernel support to get to this sort of information or if the author just missed them, but I consider them important nonetheless. If they were not an option when the book was written then it should at least be mentioned that such things are not possible. I had to do some mailing list research to figure out how to get to them. The book suffers from a problem that afflicts so many technical books - it wants to be everything to everyone.

However, I don't know of a better book related to netfilter and would recommend this one to someone that wants to learn more about it. I think it should be complemented with the "iptables tutorial" by Oskar Andreasson and with some research looking at example scripts that can be found online and reading mailing lists. ( )