Firewall
Miloslav Trmač
mitr at volny.cz
Wed Dec 8 17:19:10 UTC 2010
Curtis Doty píše v St 08. 12. 2010 v 01:02 -0800:
> Monday Miloslav Trma said:
>
> > Just disable the firewall and you'll get pretty much equivalent
> > functionality.
>
> How? Now that the filter table and stateful connection tracking, aren't
> modules anymore. They now appear to be built monolithic into the Fedora
> kernel.
a) you trust the in-kernel firewall state connection tracking to track
connection state and handle unexpected packets according to the firewall
configuration.
b) you trust the in-kernel protocol stack (TCP/UDP) to track connection
state and handle unexpected packets according to ordinary rules of the
protocol.
Is there a significant difference? I don't know. The protocol stack
code might be more complex and thus more risky, on the other hand the
firewall state tracking is an additional code that is activated only for
the firewall and can also contain bugs. Yes, there is a difference in
code, but the resulting difference in security seems quite small to me.
Mirek
More information about the devel
mailing list