> I have discussed. I offer as
> evidence of the continued existence of these potential flaws, the
> eternal <defunct> processes that still exist even in modern versions of
Why are these a problem? You have to store the exit status for a dead
process somewhere, and you can't reuse the process-id until the parent's
picked it up, so why *not* use an empty process structure?
> Sure - the defunct process problem, the failed logging problem that
> results from resource exhaustion, the problem with NFS pointed to above,
If you run NFS on your firewall you're already dead.
> Even when a file system cache error causes a block of the deny
> file to be read as a block of the allow file?
I have never heard of this sort of error happening on any UNIX file system,
> Yes, this sort of behavior
> has been detected under certain versions of NFS and Novell and has been
> published for some time.
NFS is not a UNIX file system, and neither is Novell. They are network file
systems. If your firewall is depending on the security of network resources
it's not a firewall at all.
(if you really want to know why NFS isn't a UNIX file system, mail me under