I apologise for my ambiguous use of the English language here.
My point was solely that at the current time, a Linux box
running kernel 2.4.x and IPTables has problems. IPTables is
fixed in the latest Alan Cox builds, but, as you say, there may
be other issues. So we're in broad agreement there.
Maybe by the time kernel 2.4.5 is out :-)
Cheers,
Phil
---------------------------------------------
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK
> -----Original Message-----
> From: Jose Nazario [mailto:[EMAIL PROTECTED]]
> Sent: 26 April 2001 15:30
> To: Randal, Phil
> Cc: [EMAIL PROTECTED]
> Subject: RE: Linux Firewalls (WAS: Looking for...)
>
>
> On Thu, 26 Apr 2001, Randal, Phil wrote:
>
> > So I would not recommend IPTables under Linux without using
> the latest
> > kernels.
>
> this is a dangerous philosophy to get into, frankly. the
> Linux kernel has
> a long and tired history of introducing more bugs into the
> latest, rushed
> kernel than they fix. (i've been using Linux since kernel
> 1.2, i'm a bit
> old school.) as such, you're highly likely to break something
> valuable as
> you attempt to fix something.
>
> the problem stems from a development cycle that has a pace
> that cannot be
> monitored efficiently by the people who check code for correctness and
> security. never mind that they explicitely don't care about security.
>
> sometime before 2.4 went 'prime time', i thought i would get
> involved. i
> spent several intense days pouring over code and mailing list
> material and
> emerged shocked at the inconsistent quality of netfilter code. its
> blatantly insecure in some places, and contributions pour in and get
> checked in without much scrutiny.
>
> i'm no longer the young, firey man i was. i don't have the
> time to put up
> lonely battles and attempt to change even a few peoples'
> minds. i gave up,
> i walked away from it and back towards code i could trust (*BSD and
> IPFilter).
>
> you learn a lot reading kernel code, you get to see a lot of
> the innards
> of a project that way by reading comments and looking at code quality.
>
> i said it last night, and i'll reiterate it: remember that
> not every tool
> is designed for the jobs it can accomplish (ie a Linux
> firewall). use a
> tool designed for a purpose like that, and in doing so you may have to
> extend your horizons.
>
> ____________________________
> jose nazario
> [EMAIL PROTECTED]
> PGP: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD
> 48 A0 07 80
> PGP key ID 0xFD37F4E5
> (pgp.mit.edu)
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
