Michael Rash, Security Researcher

Linux Firewalls: Attack Detection and Response

No Starch Press This page serves as an online resource for the book Linux Firewalls: Attack Detection and Response with iptables, psad, and fwsnort written by Michael Rash and published by No Starch Press in September, 2007.

The goal of this book is to treat Linux firewalls from an applied perspective, with an emphasis on detecting and thwarting network-based attacks. The book discusses the convergence of IDS/IPS and firewall technologies, and is designed to introduce the reader to detailed material from the fields of signature-based network intrusion detection and access control. Many concepts in TCP/IP networking and basic firewall policy construction (which are covered at length by many other tomes) are largely assumed. Significant material is included on iptables and how to maximize its effectiveness against network attacks with the psad, fwsnort, and fwknop projects. Please email me if you have any questions about any of the material covered in the book.

"...Between 2000 and mid-2007, I've read and reviewed nearly 250 technical books. I've also written several books, so I believe I can recognize a great book when I see it. Linux Firewalls is a great book..."

     —Richard Bejtlich, TaoSecurity

"...Michael does a great job of explaining not just how iptables works, but he shows how users gain operational value from using open source tools and techniques, such as visualization, to analyze firewall logs..."

     —Raffael Marty, SecViz

"...If you run one or more Linux based firewalls, this book will not only help you to configure them securely, it will help you understand how they can be monitored to discover evidence of probes, abuse and denial of service attacks. Readers of this book will gain an understanding of firewall log analysis and how the netfilter firewall can be dramatically enhanced with several open source tools..."

     —Ron Gula, Tenable Network Security

References are made at several places within the book to everything from perl scripts to pcap packet traces, and these supporting files are placed here for easy downloading. This site also maintains the errata list for the book.

Table of Contents

Chapter 1: "Care and Feeding of iptables"
Chapter 2: "Network Layer Attacks and Defense"
Chapter 3: "Transport Layer Attacks and Defense"
Chapter 4: "Application Layer Attacks and Defense"
Chapter 5: "Introducing The Port Scan Attack Detector"
Chapter 6: "Psad Operations: Detecting Suspicious Traffic"
Chapter 7: "Advanced psad Topics: From Signature Matching to OS Fingerprinting"
Chapter 8: "Active Response with psad"
Chapter 9: "Translating Snort Rules into iptables Rules"
Chapter 10, "Deploying Fwsnort"
Chapter 11: "Combining Psad and Fwsnort"
Chapter 12: "Port Knocking vs. Single Packet Authorization"
Chapter 13: "Introducing fwknop"
Chapter 14: "Visualizing iptables Logs"

Appendix A: "Attack Spoofing"
Appendix B: "A Complete fwsnort Script"

Book Reviews

  1. Linux User & Developer Magazine, NA, March 2008
  2. ACM, A. Mariƫn, January 2008
  3. ACM, Friedrich Dominicus, January 2008
  4. Slashdot, David Martinjak, January 2008
  5. Free Software Magazine, Alan Berg, December 2007
  6. Linux Pro Magazine, James Pyles, December 2007
  7. Blogcritics Magazine, John Bambenek, November 2007
  8. InfoWorld, Brian Chee, November 2007
  9., Ryan Berens, November 2007
  10., Mirko Zorz, October 2007


  1. Running Xen, Jeanna N. Matthews, et. al., April 2008
  2. nixCraft, Vivek, January 2008