[ale] stateful firewall?

Geoffrey esoteric at denali.atlnet.com
Wed Oct 17 09:09:30 EDT 2001 

I thought the primary difference between ipchains and iptables was that
iptables was stateful?  Anyone?

John Wells wrote:
> 
> I've been working for the past day or so on setting up
> ipchains to use as my company's firewall.  Then the
> one of our senior IT guys came by and said "Linux
> boxes don't make firewalls.  They make good proxies,
> but not firewalls.  Linux has no stateful firewalls".
> 
> Ok.  I'm a programmer, not an IT OP guy, but I'm one
> of the few people around here who know *nix (we're
> primarily a windows shop).  One of the things I and a
> few other developers around here have been trying to
> do is make as many excuses for Linux boxes as
> possible.  The senior IT guy wants us to wait for a
> Solaris box from corporate.
> 
> I know in Bob Toxen's book it's mentioned that the 2.4
> kernel provides a stateful firewall capability called
> NETFILTER.  Has anyone had any experience with this?
> Good/bad?  Is it stable enough to use in a production
> environment?
> 
> If it is stable enough, we have installed RH 7.1,
> which uses the 2.4, so we're good to go.  However, the
> IT guy also seems to think that all linux
> distributions have too many holes (with the exception
> of the NSA's distribution, which he mentioned in
> passing).  It was my impression that I could disable
> pretty much every service on the box (with the
> exception of those that *have* to be running to
> function as a firewall) and we'd be pretty secure.  Is
> this not the case?
> 
> Ok, final question.  Assuming NETFILTER is *not* ready
> for production, are there any open source stateful
> firewalls that are?
> 
> Thanks!
> John
> 
> __________________________________________________
> Do You Yahoo!?
> Make a great connection at Yahoo! Personals.
> http://personals.yahoo.com
> 
> ---
> This message has been sent through the ALE general discussion list.
> See http://www.ale.org/mailing-lists.shtml for more info. Problems should be
> sent to listmaster at ale dot org.

--
Until later: Geoffrey		esoteric at denali.atlnet.com

"...the system (Microsoft passport) carries significant risks to users
that
are not made adequately clear in the technical documentation available."
- David P. Kormann and Aviel D. Rubin, AT&T Labs - Research
- http://www.avirubin.com/passport

---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.

More information about the Ale mailing list