In PNS, packet filtering is handled by the kzorp kernel module, therefore packet filtering services are completely handled on the kernel level. When PNS starts, it sends all information about the traffic permitted to pass the gateway (that is, the list of configured services, zones, firewall rules, and so on) to the kzorp module.
Application-level services (also called proxy services) are handled on two levels:
The kzorp kernel module receives and accepts the connections.
All other functionality is performed by PNS in the userspace.
For both service types, the kzorp kernel module makes the client-side access control (DAC) decision. Both service types can be configured from a uniform interface using MC.
Handling packet filtering in the kernel has the following important consequences:
Packet filtering rules can match on zones as well, not only on IP addresses.
Network Address Translation (NAT) is available also in the kernel, therefore it is possible to NAT packet filtering services. However, not every type of NatPolicy can be used with packet filtering services. For details, see Section 6.7.5, NAT policies.
The tproxy table of the iptables utility that earlier PNS versions used to perform transparent proxying is empty. PNS does not use it, but it is available if for some reason you want to add rules manually.
Published on June 04, 2020
© 2007-2019 BalaSys
Send your comments to support@balasys.hu
