[ILUG] Firewalls... linux -v- BSD
paul at clubi.ie
paul at clubi.ie
Tue Aug 29 22:20:14 IST 2006
On Tue, 29 Aug 2006, Lisa Muir wrote:
> material, most from the BSD world, making statements about pf being
> much better than iptables because of stateful inspection etc.
Arg.
Stateful firewalling is *stupid*. To have state as a goal is *brain
dead*. We need a campaign to drum this into people heads, as has been
done for "NAT is evil".
Filtering TCP requires 0 state. Bear this in mind when you hear
insanely mental people harp on about firewall-state-syncing solutions
which can *never* work 100% reliably.
And let's say nothing about some of the *incredibly* dumb firewalls
which can not be restarted without breaking ongoing TCP connections
due to being so stupid as to try validate window sizes (hallo some
BSD ipfilter - FreeBSD possibly).
"Stateful filtering of TCP is evil"
(and yes, I *did* have to deal with connectivity problems due to dumb
firewalling yet *again* today. There ought to be a requirement to
force people to obtain a certificate in:
"Path MTU discovery, and the role of ICMP in it."-ology
from the Online University of IP before anyone is allowed to go near
a firewall).
regards,
--
Paul Jakma paul at clubi.ie paul at jakma.org Key ID: 64A2FF6A
Fortune:
Fry: What's with the eye?
More information about the ILUG
mailing list