On Wed, Oct 30, 2002 at 10:52:28PM +0000, Roy Badami wrote: > An imperfect kernel FTP proxy (as provided by iptables or ipfilter) is > surely still better than nothing when firewalling an FTP server. If > the userland FTP proxy can't easily be made fully transparent, then a > kernel FTP filter is still useful.
I agree, it's better than no firewall at all. But it's worse than a firewall that reliably blocks access to some vulnerable ports, because the in-kernel proxy could be tricked into opening those ports. Of course, even a wet towel is better than no firewall. Daniel
