Jorge Escudero un jour écrivit:
I have the Firewall with woody and I never had got any security problem. Is it risky to still using this version?
For a firewall, you need to at least upgrade the kernel and patch + recompile ssh and libssl. More library update are also needed if you also care about local exploits. You also need to know what you are doing, because otherwise you could experience some problems.
For example, if you are doing traffic shapping with /sbin/tc, you will need to patch iptable because of changes in kernel 2.4.20 (which means you need to read the kernel changelog before).
You need to have a really good reason for not upgrading, and if you need to ask, then you probably don't have such a reason.
There is a few production servers I still maintain with Woody and the latest 2.4 kernels with special patches. But It means I need to follow bugtraq and other mailing lists, sometime hand patch some programs or libraries and understand what I am doing. And I get money for spending time maintaining those systems.
That said, I won't run a Woody firewall unless I am forced to. If the problem is the frequent 2.6 kernel updates, then Sarge also support the 2.4 kernel and could win you few months, but I doubt it is worth It in your case.
Do I have to upgrade the version any time a new one is release?
You could decide to upgrade to Sarge, and wait until Lenny is out to upgrade to Etch and so on, but Etch is much better than Sarge in my opinion and would go directly there. If you are paranoid, you will also want to activate SELinux.
Simon Valiquette