The IPTables ftp security fix will be in Kernel 2.4.4.
I believe it's already in 2.4.3-AC14.
So I would not recommend IPTables under Linux without using
the latest kernels.
RedHat will be releasing a new Kernel for RedHat Linux 7.1
shortly with the fix included.
Cheers,
Phil
---------------------------------------------
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK
> -----Original Message-----
> From: mouss [mailto:[EMAIL PROTECTED]]
> Sent: 26 April 2001 14:20
> To: Paul D. Robertson; Ben Nagy
> Cc: [EMAIL PROTECTED]
> Subject: Re: Linux Firewalls (WAS: Looking for...)
>
>
> At 20:20 25/04/01 -0400, Paul D. Robertson wrote:
> >On Thu, 26 Apr 2001, Ben Nagy wrote:
> >
> > > Anyone,
> > >
> > > Setting aside general Linux enthusiasm and advocacy, does
> anyone really
> > > think that there's a good reason to use Linux for a firewall? I
> > (personally)
> >
> >Familiarity is probably the only reason to use a stock Linux
> system. If
> >you're into the entire compartmented thing, adding RSBAC and limiting
> >administrative access to ceratin features is appealing.
>
> I'd add that since we're living in hype dominated world, it's
> easier to go for
> an OS that most people accept because they know it or because
> they heard
> of. I'm not saying Linux is a bad OS, but there are far more
> people who'll
> say "yes, you MUST linux" but who just don't know why, except
> that they
> read magazines and talks with friends, than those who really
> know why:)
>
> Note that I am a BSD enthousiast, but that doesn't make me a
> silly guy who
> just thinks other OSes are silly. I still can think:)
>
>
> > > like ipfilter on OpenBSD, both because ipfilter is Damn
> Fine Stuff and
> > > because OpenBSD is treated like a real OS in terms of
> releases, revisioning
> > > and code review.
> >
> >IPFilter's had its share of problems too. If that's your
> objection to
> >iptables, it's an apples to apples comparison (though
> certainly IPFIlter
> >has had more "real time" on the Net and therefore should be
> significantly
> >more weathered.)
>
> I agree that ipfilter is far from perfect. But until now, I
> didn't find a
> better replacement.
> I certainly have to take a deeper look into iptables, but
> didn't have the
> time yet.
> and given that I'm a BSD user, I won't use iptables anyway,
> which explains
> why I don't have
> the time:)
>
> >FWIW, I prefer NetBSD for IPfilter boxen.
>
> I also prefer NetBSD over the others. This might surprise
> those who've seen
> me advocating
> for FreeBSD. My answer is that I think Free is easier for new users.
>
> >1. Redhat isn't Linux.
> >2. 7.1 includes an autofirewall feature if you're into RedHat.
> >3. It was an inside going out bug, not the worst kind for a firewall
> >certainly.
> >4. You can add application layer proxies on top of packet
> filtering, which
> >is better for a firewall IMO.
>
> RH is not the best platform for security, but that's
> understandable: They
> are offering an
> OS for the masses, not for those few guys who wanna setup a FW.
>
> anyway, I don't think the question is to Linux, to BSD or
> not. As of today,
> BSD systems
> are better for firewalling. This doesn't mean that linuxers
> are silly guys
> adding bugs. It's just
> that Linux is far more used, and is thus focusing on usability. As a
> consequence, this is the
> same argument against FreeBSd when compared to other flavours!
>
> From a theoritical viewpoint, one can provide network
> seurity on any open
> source OS. It's just
> a matter of implementation. The only problem is that the
> "market" for that
> is restricted. Most
> people just use FW1, because they don't understand what
> security is and
> thus go for what others
> use and fall in the silly followers category.
>
>
> cheers,
> mouss
>
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
