[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: 'Generic' Firewall Rulesets?

Giacomo Mulas <gmulas@ca.astro.it> writes:


> This makes it a more powerful approach, even more unneeded rules can be
> pruned, and the ruleset is again simpler and easier to understand and
> maintain. But this implies running a 2.4.0-testX kernel, and I have had
> mixed (very good and very bad) experiences with it. As a rule of the
> thumb, I actually run 2.4.0-test10 on every computer on which it can
> successfully boot and run without errors for more than an hour, and it is
> apparently flawless, but on some PII boxen, for example, it kept giving
> fp_exception errors and killing processes, eventually causing a lot of
> damage. It did it immediately, though, so it was not a difficult problem
> to spot.

-test9 works flawlessly on my home firewall, the same setup on 
a company firewall has cried twice "Aieee" on updating my
homegrown iptables package, but works otherwise fine. On
my Laptop only small problems (once in a while pcmcia/eth0 is dead).

> To wrap it up, my "hands on" suggestion is:
> 1) if you want a rock stable firewall, go with kernel 2.2.x, spf and
> ipchains
> 2) if you can afford to test things a bit and to spend some time getting
> things to run smoothly, go with kernel, with x>=10, and
> iptables.

You can get my (hopefully) improved Debian package for iptables 1.1.2
with debconf support from:

deb http://ftp.linuxia.de/ftp/debian iptables main


LinuXia Systems && Cobolt NetServices, eCommerce and more
Shop- und Datenbanklösungen mit MiniVend, Firewalls auf Debian-Basis
http://www.linuxia.de - http://www.cobolt.net
--> Junior Officer of the MiniVend/Interchange Bug Patrol <--- 

Reply to: