On Thu, 26 Apr 2001, Randal, Phil wrote:
> So I would not recommend IPTables under Linux without using the latest
> kernels.
this is a dangerous philosophy to get into, frankly. the Linux kernel has
a long and tired history of introducing more bugs into the latest, rushed
kernel than they fix. (i've been using Linux since kernel 1.2, i'm a bit
old school.) as such, you're highly likely to break something valuable as
you attempt to fix something.
the problem stems from a development cycle that has a pace that cannot be
monitored efficiently by the people who check code for correctness and
security. never mind that they explicitely don't care about security.
sometime before 2.4 went 'prime time', i thought i would get involved. i
spent several intense days pouring over code and mailing list material and
emerged shocked at the inconsistent quality of netfilter code. its
blatantly insecure in some places, and contributions pour in and get
checked in without much scrutiny.
i'm no longer the young, firey man i was. i don't have the time to put up
lonely battles and attempt to change even a few peoples' minds. i gave up,
i walked away from it and back towards code i could trust (*BSD and
IPFilter).
you learn a lot reading kernel code, you get to see a lot of the innards
of a project that way by reading comments and looking at code quality.
i said it last night, and i'll reiterate it: remember that not every tool
is designed for the jobs it can accomplish (ie a Linux firewall). use a
tool designed for a purpose like that, and in doing so you may have to
extend your horizons.
____________________________
jose nazario [EMAIL PROTECTED]
PGP: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80
PGP key ID 0xFD37F4E5 (pgp.mit.edu)
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
