On Thu, 26 Apr 2001, Ben Nagy wrote:
> Anyone,
>
> Setting aside general Linux enthusiasm and advocacy, does anyone really
> think that there's a good reason to use Linux for a firewall? I (personally)
Familiarity is probably the only reason to use a stock Linux system. If
you're into the entire compartmented thing, adding RSBAC and limiting
administrative access to ceratin features is appealing.
> like ipfilter on OpenBSD, both because ipfilter is Damn Fine Stuff and
> because OpenBSD is treated like a real OS in terms of releases, revisioning
> and code review.
IPFilter's had its share of problems too. If that's your objection to
iptables, it's an apples to apples comparison (though certainly IPFIlter
has had more "real time" on the Net and therefore should be significantly
more weathered.) FWIW, I prefer NetBSD for IPfilter boxen.
> To take the example below - RH 6.2 is r00table out of the box and ipchains
> is not stateful. RH 7 had problems, so they rushed 7.1. Iptables in 7.1 was
> then immediately found to have a bug in the FTP code (of course - where
> else?).
1. Redhat isn't Linux.
2. 7.1 includes an autofirewall feature if you're into RedHat.
3. It was an inside going out bug, not the worst kind for a firewall
certainly.
4. You can add application layer proxies on top of packet filtering, which
is better for a firewall IMO.
> I'd love to have some faith that iptables was cool and ready for primetime,
> since ipchains on Linux did more than anything else I can think of to raise
> awareness about solid, free firewalls (oh, the irony!) - but I still have
> many reservations.
I'd give it a few months before I relied on it as a sole protection
mechanism. I wouldn't have an issue with putting a box inline with
something else doing the same job and seeing how it fared though. Um,
after some testing that is.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
