> -----Original Message-----
> From: Paul D. Robertson [mailto:[EMAIL PROTECTED]]
[...double indent is me...]
> > like ipfilter on OpenBSD, both because ipfilter is Damn
> Fine Stuff and
> > because OpenBSD is treated like a real OS in terms of
> releases, revisioning
> > and code review.
>
> IPFilter's had its share of problems too.[...]
> FWIW, I prefer NetBSD for IPfilter boxen.
I don't recall the IPfilter problems you're talking about - got a reference?
Why NetBSD - just the performance win?
[...]
> 1. Redhat isn't Linux.
True. Very true, in fact. The distro fragmentation is one of the reasons I'm
nervous about talking about "Linux Firewalls". I'm sure that SELinux will
come out looking like a completely different beast to a lot of the others -
but SELinux being good and secure doesn't make "Linux" good and secure. I
guess the converse is also true - RH being sucky doesn't make everything
else suck - it's just that RH _is_ Linux to lots of people.
> 2. 7.1 includes an autofirewall feature if you're into RedHat.
> 3. It was an inside going out bug, not the worst kind for a firewall
> certainly.
OK, I must have misread. I thought it was yet-another-PORT-parsing-error
(YAPPE) which meant that if you had an internal FTP server an attacker could
peel your firewall like an onion. I'll take another look at the advisory
(and stop getting my security news from /. ;)
> 4. You can add application layer proxies on top of packet
> filtering, which
> is better for a firewall IMO.
In which case you'd probably be better falling back to ipchains, since the
redirection stuff is very mature, right? That's a whole different kettle of
fish - and a much more palatable one, in my book.
[...]
>
> Paul
--
Ben Nagy
Network Security Specialist
Marconi Services Australia Pty Ltd
Mb: +61 414 411 520 PGP Key ID: 0x1A86E304
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
