On Wed, Apr 24, 2002 at 04:12:12PM +0200, Sigmund Vegheim wrote: > But this is a security risk. The statefullness of the firewall isn't good > enough for business use, I would say.
Yes. True. Don't use it in a business environment. > Is this because of iptables or netfilter? Because of iptables. Don't use that. Use, instead, netfilter. > This is a rather important issue and the documentation on this is poor. Again true. www.netfilter.org does not have good docs, neither http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html and tons of other sites. > It seems that iptables way of implementing statefull inspection only is a > matter of speed? Yes, speed. ipchains is much better, is slower and does not have statefullness. Exactly what a business environment requires. > > -----Original Message----- > From: Sneppe Filip [mailto:[EMAIL PROTECTED]] > Sent: 24. april 2002 14:50 > To: Sigmund Vegheim; [EMAIL PROTECTED] > Subject: RE: Statefull inspection > > > > Sigmund, > > Correct. Stuff doesn't just get dropped from the connection tracking, > not even after a script reloads the rules. So you have to be careful > with stuff that is still in /proc/net/ip_conntrack. > > Regards, > Filip
