On Thu, Apr 26, 2001 at 10:01:52AM +1000, Ben Nagy wrote:
> Setting aside general Linux enthusiasm and advocacy, does anyone really
> think that there's a good reason to use Linux for a firewall?
One "real-world" example I was never able to solve with ipfilter was
setting up a caching HTTP proxy on the same subnet -- but not on the
same physical host -- as the firewall. It may be possible with ipfilter
but after trying various things, reading FAQs and docs, and consulting
with one of the OpenBSD mailing lists I still came up empty.
Linux 2.4's netfilter framework made this a piece of cake.
OTOH I'm sure there must be other specialized things you can do with
ipfilter and not with netfilter.
All things considered, I like an OpenBSD/ipfilter box up front, then a
Linux netfilter firewall behind it.
> To take the example below - RH 6.2 is r00table out of the box and ipchains
> is not stateful. RH 7 had problems, so they rushed 7.1. Iptables in 7.1 was
> then immediately found to have a bug in the FTP code (of course - where
> else?).
:-\ Well, my pet distro is Debian which is a cinch to upgrade remotely
and automatically... and I find the default/standard setup to be quite
sane compared with the bloat found in some of the others. The only real
objection to it is the lack of signed binary packages but that is being
addressed, and as long as you use a secure dns cache (plug: DJB's djbdns
package) for your lookups it would be pretty hard to DNS-spoof you into
hitting the wrong host to get updated packages.
(Please no flame warts. ;)
>> IPFilter's had its share of problems too.[...]
>I don't recall the IPfilter problems you're talking about - got a reference?
There was the fragmentation bug of last week or so... that's the only
one I can think of off-hand.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
