Hmm, I've been watching events with both the linux realm as well as the
*bsd realm for awhile, not to mention other platforms. The complexity of
developing a stable and securable OS, let alone added features like
ipfilter or iptables is a task that seems to always be in the making and
thus in flux. Ipfilter code had a recent issue; with fragments, just a
few weeks ago. About the same time FreeBSD and OpenBSD were found to have
some ftp globbing issues, as was found with most other vendor flavors.
Yet, two factors seem to work well for those folks playing in the
linux/*bsd realms :
1, source is open and folks can fix what they want/wish and patches are
near to immediate to the released vulnerabilities in many/most cases.
2, an often overlooked factor of recent times is how well one knows the
underlaying OS. If you know linux better then your fav *bsd, then you are
more likely to produce a securer system with that, or vice versa then
stepping out of this well known realm.
This second factor works well no matter the flovor the OS, the more you
know it and can make it dance for you, the better the security of the
systems you design upon that OS. Yet, with the recent Argus/pitbull hack,
which focused upon archtecure weaknesses, the question gets broadened to
how well one knows the hardware they play upon, let alone the OS and tools
piled upon that. Again, watching for signs over the years seems to
suggest that no matter the HW involved and whether or not it plays with
intel, intel-compaq or sun, or sgi or what have you, as the focus of
attention is plied to a HW platform, or particular OS, we'll find other
exploits to subvert even the most well thoughtout code, be it at the lower
levels of the chips supporting it, or the Os/tools designed to run on it.
So, perhaps the best we can do is expand #2 above to include not only how
well one knows the OS they are plying, but how well they understand the HW
platform they are plying upon. From that point on, I tend to get the
feeling it is all a matter of religion.
Thanks,
Ron DuFresne
On Thu, 26 Apr 2001, Ben Nagy wrote:
> Anyone,
>
> Setting aside general Linux enthusiasm and advocacy, does anyone really
> think that there's a good reason to use Linux for a firewall? I (personally)
> like ipfilter on OpenBSD, both because ipfilter is Damn Fine Stuff and
> because OpenBSD is treated like a real OS in terms of releases, revisioning
> and code review.
>
> To take the example below - RH 6.2 is r00table out of the box and ipchains
> is not stateful. RH 7 had problems, so they rushed 7.1. Iptables in 7.1 was
> then immediately found to have a bug in the FTP code (of course - where
> else?).
>
> I'd love to have some faith that iptables was cool and ready for primetime,
> since ipchains on Linux did more than anything else I can think of to raise
> awareness about solid, free firewalls (oh, the irony!) - but I still have
> many reservations.
>
> Comments, anyone?
>
> Cheers,
>
> --
> Ben Nagy
> Network Security Specialist
> Marconi Services Australia Pty Ltd
> Mb: +61 414 411 520 PGP Key ID: 0x1A86E304
>
> > -----Original Message-----
> > From: DSC coria fernandez jose antonio
> > [mailto:[EMAIL PROTECTED]]
> > Sent: Wednesday, April 25, 2001 7:36 AM
> > To: [EMAIL PROTECTED]
> > Subject: Looking for..............
> >
> >
> >
> > im looking information for install ipchains, in a red hat
> > box ver 6.2,
> > i was reading the hows to, but i still have questions?
> > some suggestions
> >
> > thanks a lot
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***
OK, so you're a Ph.D. Just don't touch anything.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
