[ILUG] Firewall Overhead.
plop at redbrick.dcu.ie
Mon Jun 26 17:44:35 IST 2000
In reply to Paul Jakma's flatulent wordings,
> [snip discussion of static vs statefull firewalling]
> > The 2 free firewall packages I know of that keep state are ipfw (for
> > FreeBSD) and ipfilter (which is surprisingly portable for a packet
> > filter, runs on *BSD, solaris, irix, hpux and even Linux, although
> > from what I hear the Linux version only works with older kernels).
> > Commercial packages like Firewall-1 also keep state.
> the one thing you left out:
> stateful firewalling by it's very nature needs a lot more resources
> compared to static rule fw, esp wrt to memory. so the linux view is
> probably: 'doesn't belong in kernel -> belongs in user space' ie a
> firewalling application.
Um... no, sounds like some blind Linux advocate fabricating bullshit to cover
up another Linux shortcoming. Stateful information a memory hog? Excuse me,
but the kernel buffers used to hold the tcp/udp data from connections are
only orders of magnitude bigger. How did you become such an expert on
stateful firewalls all of a sudden (didn't you just ask for an explanation of
them an hour ago?) Move a packet filter firewall out to user space? Good
lord, did you think before saying that? Not only has Linux got a notoriously
inefficient userspace packet access implementation (which will result in any
moderately saturated network dropping packets all over the place), I'd say
there might be a few stability implications there (oops my firewall went down
because somebody killed the firewall process or it went past it's ulimit
etc.). The linux view that it doesn't belong in the kernel? Not only will
your opinion and those of other "linux rulez" gombeans be the last I'd take on
as "the linux view", but I seriously doubt that the same kernel hackers which
aim to bring us such wonderful kernel bloat as "knfsd" and "khttpd" are going
to sit back, twiddle their thumbs and think... oh dear, stateful firewalling?
Gosh that should be a user app shouldn't it?
> alternatively: run a linux firewall with ipchains + application proxies
> such as squid, caching nameserver, etc.. with the applications configured
> with proper ACL's. (yes they'll still show up in SYN/FIN scans, but so
alternatively: don't run linux firewall at all, I can't say I'm surprised to
see that you're the first to jump up and make up an excuse for Linux not
supporting an obviously very useful feature (and no doubt a feature that will
make it into the kernel eventually, by which time you'll be pissing praise
about it for all to hear), then coming up with a mediocre "liunx" solution
which can be implemented on linux, but also any other platform imaginable,
including aforementioned stateful firewalls, in which state keeping is
More information about the ILUG