[lug] RH 7.x word of caution
kevin at scrye.com
kevin at scrye.com
Wed Jun 6 15:04:04 MDT 2001
>>>>> "D" == D Stimits <stimits at idcomm.com> writes:
D> Hugh Brown wrote:
>> Good to know.
>>
>> Last I heard was that iptables had some major security problems
>> that made it ineffective. Is that still the case? If so, what
>> alternatives do people have if they are running linux 2.4?
D> You can still run ipchains in 2.4, but I haven't quite figured out
D> how to do this on all kernels (the config seems a bit
D> convoluted). The documentation indicates some separate download
D> might be needed, but the docs also appear to not be entirely up to
D> date. The trick seems to be how to get the kernel to be enabled for
D> ipchains...the RH default kernel does it. I thought my config's had
D> this, but it may be the option is not actually available under
D> menuconfig or xconfig, I might have to add the config line manually
D> to the .config file...not sure yet.
You can enable one of {ifwadm/ipchains/iptables}. I suggest you build
them all as modules so you can load/unload them as you please. If you
load the ipchains module, you can't then load ipfwadm or iptables
until you unload ipchains. They should all be in the stock config.
D> I am also very interested to find out about these earlier iptables
D> flaws. This is why I don't use iptables already. That plus the only
D> thing I want is packet filtering..."stateful inspection" is
D> something I have no need for (yet). Does anyone here happen to know
D> if earlier iptables flaws are a problem when using iptables only
D> for packet filtering?
the only "flaw" I know of is that one with the ftp connection
tracking. If you don't allow incoming ftp, or are running 2.4.4 or
2.4.5, you should be fine.
kevin
--
Kevin Fenzi
MTS, tummy.com, ltd.
http://www.tummy.com/ KRUD - Kevin's Red Hat Uber Distribution
More information about the LUG
mailing list