I do not see where the linux realm is hte only sucker to this kind of
issue, in fact, time has shown it to be something significant for the
BIG<tm> vendors themselves.
Thanks,
Ron DuFresne
On Thu, 26 Apr 2001, Jose Nazario wrote:
> On Thu, 26 Apr 2001, Randal, Phil wrote:
>
> > So I would not recommend IPTables under Linux without using the latest
> > kernels.
>
> this is a dangerous philosophy to get into, frankly. the Linux kernel has
> a long and tired history of introducing more bugs into the latest, rushed
> kernel than they fix. (i've been using Linux since kernel 1.2, i'm a bit
> old school.) as such, you're highly likely to break something valuable as
> you attempt to fix something.
>
> the problem stems from a development cycle that has a pace that cannot be
> monitored efficiently by the people who check code for correctness and
> security. never mind that they explicitely don't care about security.
>
> sometime before 2.4 went 'prime time', i thought i would get involved. i
> spent several intense days pouring over code and mailing list material and
> emerged shocked at the inconsistent quality of netfilter code. its
> blatantly insecure in some places, and contributions pour in and get
> checked in without much scrutiny.
>
> i'm no longer the young, firey man i was. i don't have the time to put up
> lonely battles and attempt to change even a few peoples' minds. i gave up,
> i walked away from it and back towards code i could trust (*BSD and
> IPFilter).
>
> you learn a lot reading kernel code, you get to see a lot of the innards
> of a project that way by reading comments and looking at code quality.
>
> i said it last night, and i'll reiterate it: remember that not every tool
> is designed for the jobs it can accomplish (ie a Linux firewall). use a
> tool designed for a purpose like that, and in doing so you may have to
> extend your horizons.
>
> ____________________________
> jose nazario [EMAIL PROTECTED]
> PGP: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80
> PGP key ID 0xFD37F4E5 (pgp.mit.edu)
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***
OK, so you're a Ph.D. Just don't touch anything.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
