[lug] RH 7.x word of caution
John Hernandez
John.Hernandez at noaa.gov
Wed Jun 6 15:02:45 MDT 2001
"D. Stimits" wrote:
>
> Hugh Brown wrote:
> >
> > Good to know.
> >
> > Last I heard was that iptables had some major security problems that made
> > it ineffective. Is that still the case? If so, what alternatives do
> > people have if they are running linux 2.4?
>
> You can still run ipchains in 2.4, but I haven't quite figured out how
> to do this on all kernels (the config seems a bit convoluted). The
> documentation indicates some separate download might be needed, but the
> docs also appear to not be entirely up to date. The trick seems to be
> how to get the kernel to be enabled for ipchains...the RH default kernel
> does it. I thought my config's had this, but it may be the option is not
> actually available under menuconfig or xconfig, I might have to add the
> config line manually to the .config file...not sure yet.
>
I know this is strange, but you can enable ipchains support by first enabling iptables support, then under the newly expanded tree you'll find ipchains (2.2 style firewall) support.
> I am also very interested to find out about these earlier iptables
> flaws. This is why I don't use iptables already. That plus the only
> thing I want is packet filtering..."stateful inspection" is something I
> have no need for (yet). Does anyone here happen to know if earlier
> iptables flaws are a problem when using iptables only for packet
> filtering?
>
AFAIK, there's no problem with iptables and non-stateful packet filtering in any of the post-beta releases, but you shouldn't take my word for it.
> D. Stimits, stimits at idcomm.com
>
> >
> > Hugh
> >
> > "D. Stimits"
> > >
> > > As it turns out, the /etc/rc.d/init.d/ipchains script on RH 7.1 (and
> > > probably anything "2.4.x kernel ready") fails to mention when ipchains
> > > is deactivated due to lack of kernel support. If you are booting up, you
> > > will not get a failure message from your ipchains startup script when
> > > the kernel does not support ipchains. You must manually test it as root
> > > via "ipchains -L", and see if it lists rules, or states:
> > > ipchains: Incompatible with this kernel
> > >
> > > After reviewing some logs, and discovering this (despite using current
> > > software that is overall configured right), I am tempted to completely
> > > fdisk my machine just because I've been running without ipchains
> > > (thought I thought it was running) for about two weeks now. Anyone using
> > > a RH 7.x box with ipchains and any kernel other than the stock supplied
> > > RH kernel in the 2.4.x series should manually run "ipchains -L" and test
> > > if your ipchains is really active or not.
> > >
> > > D. Stimits, stimits at idcomm.com
> > _______________________________________________
> > Web Page: http://lug.boulder.co.us
> > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> _______________________________________________
> Web Page: http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
--
- John Hernandez - Network Engineer - 303-497-6392 -
| National Oceanic and Atmospheric Administration |
| Mailstop R/OM12. 325 Broadway, Boulder, CO 80305 |
----------------------------------------------------
More information about the LUG
mailing list