> [ I know I'm going to get flamed for this, because Linux weenies are
> even more virulent than Amiga weenies used to be, but I can't let
> this pass. ]
Grin.
> > 4) How does Linux measure up against freebsd or bsdi ... I happen to love
> > LINUX but faer it was designed with speed in mind and not security ...
> Not quite -- It was designed with fun in mind, and the quantities of
> speed and security that it offers are largely side effects.
The Linux/FreeBSD firewalls are basically the same code. I wouldn't choose
either for a high security environment.
> above. The average Linux user is a UNIX newbie who sometimes even lacks
> the skills necessary to tighten down a normal UNIX system, let alone a
> firewall. Additionally, *cost* is usually the main factor which steers
> someone into using Linux as a firewall ("Hey! We have a $75 386SX-25
> motherboard; we can put some cheap memory, cheap disk and a cheap
> ethernet card on it and build ourselves a $500 firewall, instead of
> buying two Ciscos and a bastion host! Q00l, eh?").
You miss something important here for all the cheap firewalling camps, if
you only have $500 its better to at least be blocking out people spoofing
local ip addresses remotely and very basic stuff than nothing.
> The end result of this is a network which is "firewalled" (spit!) behind
> a Linux box with some packet filters. By necessity, the Linux box runs
> *actual net-accessible services* (heaven forbid!), which means that the
> filters need gaps -- Hence, the machine is at risk of being compromised
Not always. Those people who set it up right using an old 2Mb 386 a couple
of network cards and no services exist. Very few people do this properly
however.
> The Linux scheduler and VM system is also pathetic enough to make you
> not want to run services on the machine anyway, even though you essentially
> have no choice. When a Linux machine runs a CPU- and IO-intensive
Now this is why people get upset. You've just gone from some serious points
on firewalling issues to rather irrelevant claims. For your benefit Linux 1.3.45
outperforms an equivalent BSD system on paging and context switching quite
materially - lmbench rates the linux 1.3 schedule higher than any other
comparable system. From a firewalling point of view thats not relevant anyway,
as you said yourself you don't run services on a firewall.
> expire run has finished. The only solutions to this problem are to
> either rewrite the scheduler or install massive amounts of memory to
Which was done a measurable number of months ago.
> machine which does nothing but run sendmail, INN and a nameserver). On
> just about any other operating system I can think of, 16Mb is more than
> adequate for that role.
Our servers are happy with INN in 16Mb, they are running more recent setups
that 1.2. That also buys you almost double the IP forwarding performance and
tree based routing with physical layer header caches. Good things for a
router.
> The bottom line is that Linux has not been designed as a firewall -- It
Indeed.
> has been designed as an OS that gets run on a single-user workstation
> (NOT! a server, no matter how many glowing stories Linux advocates tell
> you about its performance -- Linus Torvalds himself admits that the
Sorry.. It works very nicely as a server too.
> Linux kernel's scheduler does not perform well under load). As an OS
Talking about the old 1.2 scheduler.
> performance, and I would recommend it to anyone in that role. However,
> it is not now, nor will it ever be, a firewall.
Yes.
> If you're using Linux as a firewall, you're more or less telling the
> world that you simply don't give a damn about the first two of those
> criteria.
Again this depends. For low security firewalls that are just to keep annoying
students out is great. I wouldn't suggest a high security site use anything
that doesn't have a nice line of security certificates from competent
authorities. There are BTW high security linux firewall packages like the
Mazama one (www.mazama.com) but you pay for those. Linux now also supports
loadable kernel firewall modules for those who want to write the worlds best
firewall.
Alan
Follow-Ups:
|
|
