netfilter firewalling problems and solutions

Thomas Sutton thsutton at
Mon Feb 23 14:54:19 PST 2004

> On another note. I think kernel 2.6 could be considered more secure then 2.4. 
> Its shown to have bugs fixed sooner then with 2.4. I'm not sure on the 
> numbers for preformance and load handling but from the little I've used it 
> I'm guessing 2.6 would preform better then 2.4 (under attack conditions). The 
> last few months have shown 2.4's maturity hasn't saved it from having serious 
> bugs. There are a few sanitized header projects to choose from.. fedora, pdl, 
> not sure who else, they should all be equaly useable. Kernel 2.6 is also at 
> about the same maturity level as glibc-2.3.3, so they would be able to mature 
> together. I have no idea how well 2.6 works outside of x86. The PaX patch for 
> 2.6 needs more testing on non-x86 before they will say it works. I'm not 
> suggesting nptl yet but this would give almost all the peices so ppl can test 
> it if they want (I have never had nptl and pie to work together).
I like the idea of using 2.6. There are a couple of pros and a couple of
cons. Con 1 is that there is (last I heard anyway) still some
uncertainty as to the completeness of the forward-porting security hole
fixes from 2.4 to 2.6. Weren't there a few that people weren't sure
about. Then there is the whole "it's untested" thing.

On the pro side there is the new device-mapper replacement for
cryptoloop which sounds like a reason in itself if encrypted filesystems
are going to be a non-minor point. It is also likely that, due to many
of the internals being O(1), 2.6 would be more able to withstand both
network and local DoS attacks. Then there is nptl and a few other bits
and pieces.

As security is the goal, I'd have to say "not yet", but I think it
should be a hint (with a very large warning, in triplicate, on it).

Thomas Sutton

More information about the hlfs-dev mailing list