In reply to kevin lyda's flatulent wordings,
> On Mon, Jun 26, 2000 at 05:44:34PM +0100, Smelly Pooh wrote:
> > Um... no, sounds like some blind Linux advocate fabricating bullshit to cover
> > up another Linux shortcoming. Stateful information a memory hog? Excuse me,
> > but the kernel buffers used to hold the tcp/udp data from connections are
> > only orders of magnitude bigger. How did you become such an expert on
> > [snip rant]
>> first of all in your entire ad homein attack this is the only relevant
> argument on your side. it does add a level of complexity that i don't
> think is needed. as paul described one can design a network that doesn't
> need it so i don't see why it should be inflicted on those who don't need
For starters it doesn't add a level of complexity (except maybe at the kernel
level, but I'm talking from the POV of somebody who has to setup a firewall),
stateful firewall rules are shorter and less complex than static firewall
rules. I've already given examples but to reiterate, when you want to write
an output rule, just tell it to keep state and you won't have to consider the
corresponding input rules (especially important for stateless packets such as
UDP), it implicitly blocks a lot of traffic which are legal packets but do not
belong to sessions (no extra complexity, some added security) and a lot of the
implicit rules make it safer (yet again read the DNS UDP example from one of
my previous posts). I don't see where your argument of added complexity comes
from (perhaps you'll care to explain that) when the exact opposite is true.
> and now that i recall you also mentioned that linux's userland packet
> access was inefficient. how do you justify that - do you have any
> benchmarks that demonstrate that?
have a good one with regards to NFR performance. In fact, Linux userspace
packet capture is so bad that NFR refuse to officially support their Linux
port (I could be wrong but I think it's their only unsupported port).
> and my understanding is that the networking folks working on linux have put
> forward a number of versions of firewalling and packet access, so which one
> were you covering? and how would you compare them?
The 2.2.x socket filter and libpcap methods, which are the ones that I refer
to as notoriously crap, and which is the unpatched standard for 2.2.x. In
Linux's defence I'll concede that there's an unofficial patch (also rumoured
to be moving into 2.4.x although I've seen no confirmation of that) called
turbopacket which is purportedly very efficient, no benchmarks however and
definitely not a part of anybody's kernel that I know of.
> i'd be far more interested in a post that covered those points rather
> then some rant.
So would I kevin, but I was only ranting in response to ranting. I hope this
post was more to your liking.
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!