Linux as a Firewall
Wow!!! I'm on the firewall mailing list (http://www.greatcircle.com) where
they've been having a bit of a "discussion" about the pros/cons of using
Linux as a firewall.
If you're interested, read on....
(I think Debian developers will get a bit of a kick regarding what is said
about Slackware/RedHat/Debian developers in general - or, at least, what is
implied....)
Anyone here care to comment?
Also, I'm not just posting this to start some type of flame war, etc. I've
been considering building a commercial product based on Debian Linux - it's
features to include basic firewalling capabilities. So, I'd like to begin
some discussion in this list on the merits of using Debian as a firewall -
something beyond just IP Masquerading, etc.
Later,
Kevin Traas
-----Original Message-----
From: john <zaph0d@phawd.com-stock.com>
To: Greg Whalin <gwhalin@numerix.com>
Cc: Firewall list <firewalls@GreatCircle.COM>
Date: Friday, October 31, 1997 10:08 AM
Subject: Re: Linux et al PFs
>I've been hit by about everything, from one time to another. Be it simple
>buffer overflows - SYN or Smurf attacks. And i've seen linux puke under
>conditions that BSD sailed right through. I think that speaks for itself.
>
>Linux isn't anything new to me. Aside from the old SysV/Xenix machines I
>used, it was my first "personal" unix. I have had alot of experience with
>it in both firewalled and non-firewalled enviroments. It's a great
>personal work enviroment. It can't take high stress. I dare you to take a
>Linux 2.X kernel machine- and hit it hard, with a syn attack. It will
>puke, unless you have some serious CPU/Memory.
>
>I've seen attacks hit a FreeBSD 2.2.X machine running on a *486/33* that
>were correctly filtered and everything went on like normal. Similar
>attacks on a Pentium 133 we were useing for testing (which now serves as a
>quake server) made it "Kernel Panic - AHHHIIIIEEE" in a matter of about 10
>minutes.
>
>Again, i'm only pointing out, it is just not a very suitable OS for large
>networks, or anything where you're really worried about security. I could
>name off about 10 different bugs - external, and internal, that is default
>with most Slackware/Redhat/Debian installations.
>
>The fact is: Linux is not designed by a group of people intent on makeing
>a secure OS. It's hacked together, and there is always some new problem
>with it. Be that security holes, kernel bugs, etc.
>
>I'd rather place my bets with something time-tested, and worked on by a
>set group of experienced individuals.
>
>On Fri, 31 Oct 1997, Greg Whalin wrote:
>
>> OK, fine, I can accept that this is your opinion. Unfortunately,
>> platforms adequate for firewall use should not be based upon opinion, but
>> on fact and/or example. What situations were you in when your system
>> "cracked". If you have a linux system that is cracking when put to the
>> test, then I question your ability to set up a "well configured, "stable"
>> machine". As I have stated, I use several linux servers running on
>> (actual) well configured platforms as corporate firewall systems with
>> heavy network bandwidth demand. They perform brilliantly every time. I
>> have zero OS related crashes in over two years of uptime. In fact, the
>> only crashes I have handled are hardware related. I would venture a
guess
>> as to say that your statements are biased, or uninformed, or quite simply
>> that you are not setting these systems up correctly.
>>
>> I am not here to say that linux is better than any BSD variant. In fact,
>> I am not even discussing any BSD OS. I am simply stating that your
claims
>> as to the stability, reliability, and performance of linux as a viable
>> firewall platform are wrong and without any basis of fact or example.
>>
>> --------------------
>> Greg Whalin
>> gwhalin@numerix.com
>>
>> On Thu, 30 Oct 1997, john wrote:
>>
>> > Actually, i'm on a Linux 2.0.30 machine right now. I've run linux since
>> > near it's inception and I can say it's a nice OS, for a devolper. I've
>> > seen it put to the test - and granted - it sometimes runs ok, but far
more
>> > times i've seen it croak and die, on well configured, "stable"
machines..
>> >
>> > I've been running FreeBSD for all of my commercial applications, be
they
>> > serveing webpages, or firewalling, and i've been much more impressed
with
>> > it's stability, sense of security, and in some respects, it's
preformance.
>> >
>> > If I was to ever consider useing either of them for something that
needed
>> > to be protected, I would choose FreeBSD - no questions asked.
>> >
>> > But I will always love Linux for my home masqueradeing setup :)
>> >
>> > Not saying one is nessescarly better than the other, they both have
their
>> > applications. But for firewalling, and packet filtering, BSD definatly
has
>> > the edge. In my opinion.
>> >
>> >
>> > On Thu, 30 Oct 1997, Joe Klemmer wrote:
>> >
>> > > On Thu, 30 Oct 1997, john wrote:
>> > >
>> > > > In my experience... with the free OS's, this is what I have to say:
>> > > >
>> > > > Linux is good for low bandwidth situations where setup time is a
concern,
>> > > > and reliability isn't an absolute nesscity.
>> > > >
>> > > > FreeBSD/OpenBSD/NetBSD etc has proven to generally be reliable in
>> > > > high-stress conditions, but isn't quite as easy to setup.
>> > >
>> > > It must have been a long time since you've looked at Linux, then.
>> > > It's current state is equal or better at networking that the BSD's.
>> > >
>> > > ---
>> > > Microsoft is not the answer. | In a World Without Fences,
>> > > Microsoft is the question, | Who Needs Gates?
>> > > NO is the answer. | Linux - http://www.linux.org
>> > >
>> > >
>> >
>>
>>
>
>
--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-user-request@lists.debian.org .
Trouble? e-mail to templin@bucknell.edu .
Reply to: