At 20:20 25/04/01 -0400, Paul D. Robertson wrote:
>On Thu, 26 Apr 2001, Ben Nagy wrote:
>
> > Anyone,
> >
> > Setting aside general Linux enthusiasm and advocacy, does anyone really
> > think that there's a good reason to use Linux for a firewall? I
> (personally)
>
>Familiarity is probably the only reason to use a stock Linux system. If
>you're into the entire compartmented thing, adding RSBAC and limiting
>administrative access to ceratin features is appealing.
I'd add that since we're living in hype dominated world, it's easier to go for
an OS that most people accept because they know it or because they heard
of. I'm not saying Linux is a bad OS, but there are far more people who'll
say "yes, you MUST linux" but who just don't know why, except that they
read magazines and talks with friends, than those who really know why:)
Note that I am a BSD enthousiast, but that doesn't make me a silly guy who
just thinks other OSes are silly. I still can think:)
> > like ipfilter on OpenBSD, both because ipfilter is Damn Fine Stuff and
> > because OpenBSD is treated like a real OS in terms of releases, revisioning
> > and code review.
>
>IPFilter's had its share of problems too. If that's your objection to
>iptables, it's an apples to apples comparison (though certainly IPFIlter
>has had more "real time" on the Net and therefore should be significantly
>more weathered.)
I agree that ipfilter is far from perfect. But until now, I didn't find a
better replacement.
I certainly have to take a deeper look into iptables, but didn't have the
time yet.
and given that I'm a BSD user, I won't use iptables anyway, which explains
why I don't have
the time:)
>FWIW, I prefer NetBSD for IPfilter boxen.
I also prefer NetBSD over the others. This might surprise those who've seen
me advocating
for FreeBSD. My answer is that I think Free is easier for new users.
>1. Redhat isn't Linux.
>2. 7.1 includes an autofirewall feature if you're into RedHat.
>3. It was an inside going out bug, not the worst kind for a firewall
>certainly.
>4. You can add application layer proxies on top of packet filtering, which
>is better for a firewall IMO.
RH is not the best platform for security, but that's understandable: They
are offering an
OS for the masses, not for those few guys who wanna setup a FW.
anyway, I don't think the question is to Linux, to BSD or not. As of today,
BSD systems
are better for firewalling. This doesn't mean that linuxers are silly guys
adding bugs. It's just
that Linux is far more used, and is thus focusing on usability. As a
consequence, this is the
same argument against FreeBSd when compared to other flavours!
From a theoritical viewpoint, one can provide network seurity on any open
source OS. It's just
a matter of implementation. The only problem is that the "market" for that
is restricted. Most
people just use FW1, because they don't understand what security is and
thus go for what others
use and fall in the silly followers category.
cheers,
mouss
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
