[lug] RH 7.x word of caution

D. Stimits stimits at idcomm.com
Wed Jun 6 14:53:00 MDT 2001


Hugh Brown wrote:
> 
> Good to know.
> 
> Last I heard was that iptables had some major security problems that made
> it ineffective.  Is that still the case?  If so, what alternatives do
> people have if they are running linux 2.4?

You can still run ipchains in 2.4, but I haven't quite figured out how
to do this on all kernels (the config seems a bit convoluted). The
documentation indicates some separate download might be needed, but the
docs also appear to not be entirely up to date. The trick seems to be
how to get the kernel to be enabled for ipchains...the RH default kernel
does it. I thought my config's had this, but it may be the option is not
actually available under menuconfig or xconfig, I might have to add the
config line manually to the .config file...not sure yet.

I am also very interested to find out about these earlier iptables
flaws. This is why I don't use iptables already. That plus the only
thing I want is packet filtering..."stateful inspection" is something I
have no need for (yet). Does anyone here happen to know if earlier
iptables flaws are a problem when using iptables only for packet
filtering?

D. Stimits, stimits at idcomm.com

> 
> Hugh
> 
> "D. Stimits"
> >
> > As it turns out, the /etc/rc.d/init.d/ipchains script on RH 7.1 (and
> > probably anything "2.4.x kernel ready") fails to mention when ipchains
> > is deactivated due to lack of kernel support. If you are booting up, you
> > will not get a failure message from your ipchains startup script when
> > the kernel does not support ipchains. You must manually test it as root
> > via "ipchains -L", and see if it lists rules, or states:
> > ipchains: Incompatible with this kernel
> >
> > After reviewing some logs, and discovering this (despite using current
> > software that is overall configured right), I am tempted to completely
> > fdisk my machine just because I've been running without ipchains
> > (thought I thought it was running) for about two weeks now. Anyone using
> > a RH 7.x box with ipchains and any kernel other than the stock supplied
> > RH kernel in the 2.4.x series should manually run "ipchains -L" and test
> > if your ipchains is really active or not.
> >
> > D. Stimits, stimits at idcomm.com
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug



More information about the LUG mailing list