On Thu, 26 Apr 2001, Ben Nagy wrote:
> > IPFilter's had its share of problems too.[...]
> > FWIW, I prefer NetBSD for IPfilter boxen.
>
> I don't recall the IPfilter problems you're talking about - got a reference?
The most recent one is:
http://groups.google.com/groups?q=serious+ipfilter+bug&hl=en&lr=&safe=off&rnum=1&seld=905165927&ic=1
> Why NetBSD - just the performance win?
Yep, if you can ensure that the protection isn't the bottleneck, it's
easier to defend.
> [...]
> > 1. Redhat isn't Linux.
>
> True. Very true, in fact. The distro fragmentation is one of the reasons I'm
> nervous about talking about "Linux Firewalls". I'm sure that SELinux will
You bounded it pretty well to the specific packet filtering mechanism.
> come out looking like a completely different beast to a lot of the others -
> but SELinux being good and secure doesn't make "Linux" good and secure. I
> guess the converse is also true - RH being sucky doesn't make everything
> else suck - it's just that RH _is_ Linux to lots of people.
There's no substitute for dilligence. Redhat doesn't totally suck, and I
use it almost exclusively these days. I wouldn't feel bad about deploying
it on the Net as a primary protection device so long as I'd done my part
of configuring it.
> > > 2. 7.1 includes an autofirewall feature if you're into RedHat.
> > 3. It was an inside going out bug, not the worst kind for a firewall
> > certainly.
>
> OK, I must have misread. I thought it was yet-another-PORT-parsing-error
It was...
> (YAPPE) which meant that if you had an internal FTP server an attacker could
> peel your firewall like an onion. I'll take another look at the advisory
> (and stop getting my security news from /. ;)
ISTR that it was a pretty benign "if the server says this, the client can
open that" kind of thing. If it's your server, I think you're safe in
call cases.
>
> > 4. You can add application layer proxies on top of packet
> > filtering, which
> > is better for a firewall IMO.
>
> In which case you'd probably be better falling back to ipchains, since the
> redirection stuff is very mature, right? That's a whole different kettle of
> fish - and a much more palatable one, in my book.
You don't need redirection unless you're looking specificly at inbound
service network type protection or transparency. I wouldn't go back to a
2.2 kernel unless I had a swap space size issue at this point.
Personally, (and I'm a big Linux fan) I'd be happier with IPFilter/*BSD
than Linux if I needed strong packet filtering for the next 6 months or
so. Linfilter might be cool, but it's too new for security infrastructure
in my book. The BSDs intimidate a lot of people though, so if it's an
administratively heavy role, I'd consider Linux as long as there were
multiple layers of filters. ipfw may still be a BSD option as well.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
