[ILUG] Firewall Overhead.

[David Murphy]

Quoting <Pine.LNX.4.21.0006271333540.3203-100000 at rossi.itg.ie>
by Paul Jakma <paulj at itg.ie>:

> i'm sure he does. and i never said stateful firewalling wasn't good
> either. i just said that lambasting linux for not having full blown
> stateful firewalling like your $CHOSEN_OS is unjustified.

Actually no. You said that Linux didn't have stateful firewalling
because stateful firewalling didn't belong in kernel space. The Linux
kernel developers seem to disagree with you.

> /anecdotal/ evidence: at compaq they use AS's with Alta Vista
> firewall (stateful) for allowing very limited and controlled access
> by certain customers to certain compaq applications. These machines
> had at least 256MB of RAM.

What did they have on their application proxies?

> > The difference there is that when sendmail goes down, all that
> > happens is mail doesn't get through, when a user space firewall
> > goes down, everything gets through.

> bollocks... 

> if i'm running squid on a firewall, and squid goes down - does that
> mean everyone can now suddenly access web sites directly? no. stop
> spreading FUD.

It should have been clear from the context that he was referring to
your mythical user space stateful inspection firewall, not user space
application proxies.

> if you keep throwing stuff in the kernel you end up with SystemV..

Actually, I daresay you could find more features available in the
Linux kernel and not in a given SysV kernel than vice versa. Besides,
if Solaris is anything to go by, a SysV kernel is less likely to
contain code you're not using than Linux is.

-- 
When asked if it is true that he uses his wheelchair as a weapon he will reply:
"That's a malicious rumour. I'll run over anyone who repeats it."
Stephen Hawking - [http://www.smh.com.au/news/0001/07/features/features1.html]
David Murphy - For PGP public key, send mail with Subject: send-pgp-key