Yesterday Miloslav Trma said:
Curtis Doty píÿÿe v St 08. 12. 2010 v 01:02 -0800:
Monday Miloslav Trma said:
Just disable the firewall and you'll get pretty much equivalent
functionality.
How? Now that the filter table and stateful connection tracking, aren't
modules anymore. They now appear to be built monolithic into the Fedora
kernel.
a) you trust the in-kernel firewall state connection tracking to track
connection state and handle unexpected packets according to the firewall
configuration.
b) you trust the in-kernel protocol stack (TCP/UDP) to track connection
state and handle unexpected packets according to ordinary rules of the
protocol.
Why must statefull connection tracking be imposed on every Fedora user?
Don't get me wrong. I use netfilter all the time and love it. And it's
good to install the userland iptables tools and a simple firewall by
default. But when I'd like to choose Fedora without it (asymmetric routing
anyone?), I now have to rebuild the kernel. [harumph!]
Was there ever a good reason for making the filter table and conntrack
modules monolithic? They certainly didn't used to be built in...
../C
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
