LINUX.IE, website of the Irish Linux Users' Group
Tux rules!

   
Home
New Users
Articles
Download
Projects
Community
Vendors

  Print Version
Email to...
 
Archives:


planetILUG

Recent News

News Archive


Join the
ILUG
on FaceBook


Join the
ILUG
on LinkedIn


Join the
ILUG SETI
Group



















 
 :: Mailing Lists

[ILUG] Firewall Overhead.

[ILUG] Firewall Overhead.

Paul Jakma paul at clubi.ie
Tue Jun 27 04:20:08 IST 2000 

On Mon, 26 Jun 2000, Smelly Pooh wrote:

> In reply to Paul Jakma's flatulent wordings, 
>  
> Um... no, sounds like some blind Linux advocate fabricating
> bullshit to cover up another Linux shortcoming.

wow... we're in a good mood today.

and i'm a linux advocate? yeah i like it (it 'rules' in the
philosophy dept.), but i don't lurk on *BSD/solaris/etc lists flaming
<their_chosen_os> advocates. Also: show me the Unix for every
occasion.

> Stateful information a memory hog?  Excuse me, but the kernel
> buffers used to hold the tcp/udp data from connections are only
> orders of magnitude bigger.

my point exactly, thanks for detailing it for me.

stateful firewall must maintain connections. it must maintain socket
state info (considerable in the case of TCP), might even have to
maintain complete TCP fragments depending on how 'stateful' it is.

static filtering fw doesn't. (once packet is in and out, it's
forgotten).

One needs lots of memory (and bus bandwidth => CPU to match), the
other will happily make do with an old 486.

>  How did you become such an expert on stateful
> firewalls all of a sudden 

sorry to have replied to you....

isn't the point of this list to have discussions, possibly technical,
about linux? if someone is clueless on a technical point then clue
them up with the relevant /technical/ info. The clueless one learns,
and the list learns too. Flaming is useless.

> (didn't you just ask for an explanation
> of them an hour ago?) 

i asked you to explain your statement that lack of stateful filtering
in linux was a problem. 

> Move a packet filter firewall out to user
> space?  Good lord, did you think before saying that?

ermm yes i did... although: guess what all those ip_masq_* modules
do? (and as you mention in a future email, 2.4 will have
ip_conntrack).

but stateful fw is not the be all and end all. imo 99% of the time
you're far far better off running an application proxy. much easier
to maintain.

> Not only has Linux got a notoriously inefficient userspace packet
> access implementation (which will result in any moderately
> saturated network dropping packets all over the place), 

that was definitely true in 2.0. but i think it was fixed up for 2.2.
However it might still not be as good as the filtering in
<your_chosen_os>. !!!!! But then I don't think i made any comparisons
to other OS's. !!!!!!!!

> I'd say there might be a few stability implications there (oops
> my firewall went down because somebody killed the firewall
> process or it went past it's ulimit etc.).

ROFL!!!

<sarcasm>

good point.... must see if we can get eric allman to release a
'sendmail' kernel patch, can't have email going down now can we. (let
me guess, you're a System V advocate aren't you?).

[root at hibernia mail]# uname -s
Linux-Sendmail-Squid

</sarcasm>

yeah, let's put it in kernel for stability reasons. Even better,
let's run DOS/Win3.1 (much much faster than Unix/linux) that must be
super stable.

> The linux view that it doesn't belong in the kernel?  Not only
> will your opinion and those of other "linux rulez" gombeans be
> the last I'd take on as "the linux view", 

please don't. go to linux-kernel instead...

> but I seriously doubt that the same kernel hackers which aim to
> bring us such wonderful kernel bloat as "knfsd" and "khttpd" are

your favourite unix implements nfsd where?

khttpd: yes, it's a bit silly - but implemented to counter IIS
benchmarks (which has kernel help in NT allegedly). probably better
solution is to replace apache with a smaller/faster httpd. (phttpdd?)

> going to sit back, twiddle their thumbs and think... oh dear,
> stateful firewalling? Gosh that should be a user app shouldn't
> it?

ermmm:

linux with ipchains running:

sendmail+squid+caching named == stateful firewalling as far as
smtp, http and dns are concerned. 

no?

> 
> alternatively: don't run linux firewall at all, I can't say I'm
> surprised to see that you're the first to jump up and make up an
> excuse for Linux not supporting an obviously very useful feature

go write an ip_masq_ module... 

> (and no doubt a feature that will make it into the kernel
> eventually, by which time you'll be pissing praise about it for
> all to hear), then coming up with a mediocre "liunx" solution
> which can be implemented on linux, but also any other platform
> imaginable, including aforementioned stateful firewalls, in which
> state keeping is optional.

nurse... i think someone's spiked his IV.

regards,
-- 
Paul Jakma	paul at clubi.ie
PGP5 key: http://www.clubi.ie/jakma/publickey.txt
-------------------------------------------
Fortune:
I THINK MAN INVENTED THE CAR by instinct.
		-- Jack Handley, The New Mexican, 1988.

Note: i wrote this at 1900, but now at 0410 i see poo has calmed
down and posted some rational stuff.

More information about the ILUG mailing list
Read this without the formatting.
                                                                                                    

  

Hosted by HEAnet


 Maintained by the ILUG website team. The aim of Linux.ie is to support and help commercial and private users of Linux in Ireland. You can display ILUG news in your own webpages, read backend information to find out how. Networking services kindly provided by HEAnet, server kindly donated by Dell. Linux is a trademark of Linus Torvalds, used with permission. No penguins were harmed in the production or maintenance of this highly praised website. Looking for the Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
RSS Version
Powered by Dell