> I'm thinking of updating my Linux firewall from kernel 2.2.x/ipchains to
> 2.4.4/iptable. Comments anyone? Can anyone tell me why I should't
> upgrade
> the kernel to 2.4.4/iptable?
>
Well, there are a few people who consider the 2.4 kernels and the netfilter
code to be too new to be trusted. Aside of that, netfilter doesn't have as
many protocol helpers (only ip_conntrack_ftp) as ipchains did, though some
may not be necessary or handled in the ip_conntrack module itself. Note that
the semantics are somewhat different and some of the more sophisticated
stuff isn't handled all that well in the predominant online documentation. I
ran into a problem that had me puzzled because I didn't know that the
PREROUTING and POSTROUTING chains are traversed for packets that aren't
subject to NAT and had the packets between internal network and DMZ being
dropped mysteriously.. Other than that, it seems to work very well. And
personally, I think the benefit of statefulness outweighs the risk, although
I'd still like to know for sure what *exactly* matches to 'ESTABLISHED' and
'RELATED'..
Have fun,
Tobias
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
