Radoslaw Stachowiak wrote: [] > I have to use 2.4 due to netfilter. > > after digging in archives it was quite suprising for me that most > 2.4-upgrade reasons were filesystem issues. > > For me Owl, with its security, is perfect match for firewall/router which > extremly needs flexible statefull firewalling code (netfilter) instead > old and feature lacking ipchains. Iptables/netfilter, while has state machine and many features, has it's own bad sides, and the most important one is due to it's statefulness. It need to keep state of *all* connections coming via a host. This may be a huge number, and it is a very good target for various DoS attacks. I played some games with iptables just this week: we too need it's functionality. And I was able to bring network functionality of a box down in several seconds on 10mbps LAN from another machine. This is like a "usual" synflood attack, but worse, since netfilter itself can't use e.g. syncookies to protect against such attacks, and any protocol (incl. UDP and ICMP) may be used, not only TCP. This is not good. There are some ways to protect against this bad behaviour, but those ways aren't very adequate either. One way I know of is to limit number of packets that will create new connection entries. But simple rate limiter does not work good with different timeouts for a new entry for different protocols etc, and there are situations when one need to allow big number of e.g. very short tcp sessions (webserver w/o persistent connections) when new conntrack entries will be removed shortly after being created. Mind you, *all* masquerading etc now requires conntrack module to be loaded (this is done in nat table), and after this module is loaded, it will try to track *all* connections, not only masqueraded ones. Also funny enouth that ipchains module in 2.4 is NOT compatible with 2.2 ipchains firewall: I know at least one difference that is very important for us, it is unability to read packet counters and zero them in one go, atomically (we have traffic accounting based on this, and it will not work with 2.4 kernel, and there is no way to make it work and be *accurate*). /mjt
This archive was generated by hypermail 2.1.3 : Sun Jan 15 2006 - 13:43:16 PST