Re: PIX sux? (know Stateful vs Application)

[Darren Reed <darrenr () reed wattle id au>]

In some email I received from Dom De Vitto, sie wrote:
[...]
> Interesting point Shaun, mybe this has something to do with the
> first 'firewalls' being commercial products (any comments Marcus?).
>
> I think alot of the problems the opensource crew have had have been
> related to the fact that the goalposts are moving too fast (Linux for
> one has different kernal firewalling in v2.0, v2.2 and v2.3 !)
>
> I was suprised and downhearted when I found out that stateful inspection
> wasn't available in (v2.2) ipchains.  SI is available in IPFilters,
> but they only work with the v2.0 kernel.  The new firewalling in the
> v2.3 kernel is a rewrite of the IPchains (with the main author admitting
> that a lot of lessons have been learnt).
[...]

Well, you're using the wrong `open-source' operating system for your
firewall, aren't you ? :-)  As much as I don't want to boast too much,
were you using NetBSD or OpenBSD or FreeBSD (or even Solaris !) you
could have already implemented a firewall which does stateful filtering
curtesy of IP Filter.  None of those three have seen any need to reinvent
their firewalling wheel as has Linux in each OS release since it was
first added.  If you need some help checking each of the alternatives
out:
http://www.netbsd.org
http://www.openbsd.org
http://www.freebsd.org
http://coombs.anu.edu.au/~avalon/ip-filter.html

Remember: there is more to open source than linux so don't confine your
thinking to be that way!

Darren
p.s. that IPFilter is only supported in ye-olde 2.0 kernels (RedHat 4)
is largely due to the fact that goalposts move too often and too much
for me to justify the necessary effort.