LINUX.IE, website of the Irish Linux Users' Group
Tux rules!

   
Home
New Users
Articles
Download
Projects
Community
Vendors

  Print Version
Email to...
 
Archives:


planetILUG

Recent News

News Archive


Join the
ILUG
on FaceBook


Join the
ILUG
on LinkedIn


Join the
ILUG SETI
Group



















 
 :: Mailing Lists

[ILUG] Firewall Overhead.

[ILUG] Firewall Overhead.

David Murphy drjolt+ilug at redbrick.dcu.ie
Tue Jun 27 16:06:56 IST 2000 

Quoting <Pine.LNX.4.21.0006271514340.3203-100000 at rossi.itg.ie>
by Paul Jakma <paulj at itg.ie>:

> > Actually no. You said that Linux didn't have stateful firewalling
> > because stateful firewalling didn't belong in kernel space. 

> didn't say that. expressed personal preference to keep things in
> userland where-ever possible. 

> anyway, my comment above doesn't say anything about whether i think
> stateful firewalling should be in kernel or not.

You said:

"The one thing you left out: stateful firewalling by it's very nature
needs a lot more resources compared to static rule fw, esp with
respect to to memory. so the linux view is probably: 'doesn't belong
in kernel -> belongs in user space' ie a firewalling application."

So you actually said that you thought Linux didn't have stateful
inspection as it didn't belong in kernel space. In fairness, you're
right, you said you believed the Linux kernel developers believed that
stateful inspection didn't belong in the kernel, hence they hadn't put
it in. However, you seem to have changed your opinion of their
opinion:

> > The Linux kernel developers seem to disagree with you.

> good for them. they know better than i do.

No argument here.

> > What did they have on their application proxies?

> not sure. hence the 'anecdotal' tag. it was to allow access to the
> call-logging systems (SQL servers) from customer sites thru leased
> lines. Alta-Vista firewall i don't know much about, other than it
> bolts on top of DU. Don't know how much of it is kernel or how much
> is user space - but it does need a good bit of RAM.

So, we can categorically state that it was a machine, and had RAM in
it. The rest, we don't seem to be so sure about...

> so? draw the parallel fer chrisake..
> 
> squid goes down -> no www access userspace firewall goes down ->
> absolutely no access
> 
> (cause the application is doing the forwarding/proxying. The kernel
> won't forward)

If the kernel isn't forwarding any packets, how are they getting from
the internal interface to the external interface?

> anyway: can you be more specific about that paragraph? i'm curious,
> do you mean Solaris has few features, or that nearly everything is
> dynamically loaded into the kernel, or something else?

Nearly everything is dynamically loaded into the kernel.

-- 
When asked if it is true that he uses his wheelchair as a weapon he will reply:
"That's a malicious rumour. I'll run over anyone who repeats it."
Stephen Hawking - [http://www.smh.com.au/news/0001/07/features/features1.html]
David Murphy - For PGP public key, send mail with Subject: send-pgp-key

More information about the ILUG mailing list
Read this without the formatting.
                                                                                                    

  

Hosted by HEAnet


 Maintained by the ILUG website team. The aim of Linux.ie is to support and help commercial and private users of Linux in Ireland. You can display ILUG news in your own webpages, read backend information to find out how. Networking services kindly provided by HEAnet, server kindly donated by Dell. Linux is a trademark of Linus Torvalds, used with permission. No penguins were harmed in the production or maintenance of this highly praised website. Looking for the Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
RSS Version
Powered by Dell