Re: [Leaf-devel] LEAF certification

Sat, 3 Feb 2001 16:00:51 -0500 (EST) 

Jack, David, Rick:

        Heyaz, thanks for the feedback. Some
comments below:

> > understanding is that the Linux 2.2 kernels 
> > would not be able to make it since the 
> > firewalling is not state-ful.
> 
> I bet 2.2 can be back-patched to use 2.4's netfilter;
> would that make it stateful?

        What I read about netfilter says yes, it can be
back-ported. Though...what about the ICSA requirements
mentioned statefulness? I didn't see it. It does specify
a specific set services that must work and no others. I
didn't interpret that to mean it must work for a webserver 
behind the firewall setup to listen to, say, port 53.
Eeesh. Perhaps I should ask them for clarification on
this...

> > What's the difference between excellence and 
> > putting out a product which is better?
> 
> I should have been more clear about my intent, above; what I
> wanted to know is why we're going after popularity, instead
> of creating what we see as the best?

        Well....our motives for ICSA certification don't have 
to be the entirety of our motives for the whole LEAF project.
Or vice-versa. Certification is just a means to an end: it
gets some people to use LEAF who otherwise wouldn't/couldn't.
I envision on the LRP list someday we can answer the FAQ: "what 
can I tell my boss about LRP so he'll let me use it instead of
a Cisco 2600?" with the snappy comeback "A derivative of LRP
got ICSA certified, and the Cisco 2600 isn't".

        Based on the feedback, I believe I'm going to move
the certification work forward. Here's my plan: I'll create
a LEAF release based on Oxygen, stripping down anything
server or NAT related. Should be doable on one-floppy. I'll
set it up with the firewall ruleset I use on my colo'd /28 
subnet. Then I do all the documentation work needed to get
it running, and so get it certified.
        If/when it gets certified, we put a big ICSA sticker
next to it on the LEAF site, and maybe do a press release. :)
Woo. Some people will come for it, and then they'll start to
ask: "What about NAT?" "What about IPSec?" That's when we
answer with: "For those features, use these releases instead:
EigerStein is here, Oxygen is here, etc."

        Sounds doable. Now to find an Angel to front the 
$25k. ;)

-Scott


_______________________________________________
Leaf-devel mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-devel

Reply via email to