On Wed, Apr 24, 2002 at 10:25:05AM -0400, Ramin Alidousti wrote:
> On Wed, Apr 24, 2002 at 04:12:12PM +0200, Sigmund Vegheim wrote:
>
> > But this is a security risk. The statefullness of the firewall isn't good
> > enough for business use, I would say.
>
> Yes. True. Don't use it in a business environment.
>
> > Is this because of iptables or netfilter?
>
> Because of iptables. Don't use that. Use, instead, netfilter.
>
> > This is a rather important issue and the documentation on this is poor.
>
> Again true. www.netfilter.org does not have good docs, neither
> http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html
> and tons of other sites.
>
> > It seems that iptables way of implementing statefull inspection only is a
> > matter of speed?
>
> Yes, speed. ipchains is much better, is slower and does not have
> statefullness. Exactly what a business environment requires.
>
Suggestion: Why don't setup 2 boxes - one doing the STATEFUL
INSPECTION/NAT , the other filtering. Some implementations have been
already done such as "Invisible firewall" /*BSD specific, nevertheless
helpfull?
IMO it will be easier if the task is spread over more than one box.
The business can afford it.
Regards,
Dimitar
