Firewall
Curtis Doty
Curtis at GreenKey.net
Fri Dec 10 03:00:38 UTC 2010
Yesterday Miloslav Trma said:
> Curtis Doty píÿÿe v St 08. 12. 2010 v 01:02 -0800:
>> Monday Miloslav Trma said:
>>
>>> Just disable the firewall and you'll get pretty much equivalent
>>> functionality.
>>
>> How? Now that the filter table and stateful connection tracking, aren't
>> modules anymore. They now appear to be built monolithic into the Fedora
>> kernel.
>
> a) you trust the in-kernel firewall state connection tracking to track
> connection state and handle unexpected packets according to the firewall
> configuration.
>
> b) you trust the in-kernel protocol stack (TCP/UDP) to track connection
> state and handle unexpected packets according to ordinary rules of the
> protocol.
Why must statefull connection tracking be imposed on every Fedora user?
Don't get me wrong. I use netfilter all the time and love it. And it's
good to install the userland iptables tools and a simple firewall by
default. But when I'd like to choose Fedora without it (asymmetric routing
anyone?), I now have to rebuild the kernel. [harumph!]
Was there ever a good reason for making the filter table and conntrack
modules monolithic? They certainly didn't used to be built in...
../C
More information about the devel
mailing list