Yesterday Miloslav Trma said:
Curtis Doty píÿÿe v St 08. 12. 2010 v 01:02 -0800:
> Monday Miloslav Trma said:
>
>> Just disable the firewall and you'll get pretty much equivalent
>> functionality.
>
> How? Now that the filter table and stateful connection tracking, aren't
> modules anymore. They now appear to be built monolithic into the Fedora
> kernel.
a) you trust the in-kernel firewall state connection tracking to track
connection state and handle unexpected packets according to the firewall
configuration.
b) you trust the in-kernel protocol stack (TCP/UDP) to track connection
state and handle unexpected packets according to ordinary rules of the
protocol.
Why must statefull connection tracking be imposed on every Fedora user?
Don't get me wrong. I use netfilter all the time and love it. And it's
good to install the userland iptables tools and a simple firewall by
default. But when I'd like to choose Fedora without it (asymmetric routing
anyone?), I now have to rebuild the kernel. [harumph!]
Was there ever a good reason for making the filter table and conntrack
modules monolithic? They certainly didn't used to be built in...
../C