LinuxGazette .net and .com have a few interesting articles to share with us: “A Bare-Bones Guide to Firewalls“,
“Firewalling with netfilter/iptables“, “Experiments with Kernel 2.6 on a Hyperthreaded Pentium 4” and “Timers in Linux“. At O’Reilly you can find “Tales of Optimization and Troubleshooting“.
http://kerneltrap.org/node/view/2702
And while on the topic of performance, what kernel hardware-related features/options should be enabled/disabled in kernel configuration (and also durring kernel compilation) in order optimize performance on a Xeon.
Should be entitled “Guide to weak security”. Likely just my 2 schillings, but seems to me even ‘newbified’ tools like http://firestarter.sf.net are easier and offer more — with a GUI to boot!!
Got root?
Indeed. Firestarter was my first attempt at a linux firewall, and more recently as I learned to configure iptables myself rule-by-rule, I looked back at the old firestarter config and found it to be suprisingly secure and well done despite its nearly braindead configuration. I was glad to see that I was in good hands while I was learning it for myself.
For iptables help, try:
http://www.fwbuilder.org/
Jimmy O’Regan has the best author blurb ever.
I think the preempt bug has been fixed so on desktops
(maybe not severs) it should bring smoother performance.
There was some horrid instances were people turned X to
nice 19 which made X want to preempt other tasks a lot but
now all distros do not re-nice X and have preempt on at the same time.
Can anyone else come to the forum here and explain
the preempt better than me.
Also when compiling 2.6.6 with the “optimised for size”
option which makes gcc use -Os insted of -O2 make the
image a lot smaller and the system boots faster. This is a
good option to use if you want to put a kernel on a floppy
or cdrom. Also more of the kernel can be cached with the
same amount of memory.
I think they should make “optimised for size” replace
the -O2
I just read that pf has been ported to Linux from OpenBSD…
It will probably become the standard packet filter and will replace iptables/ipchains because it runs on just about every other NIX at this point.. HPUX, Solaris, AIX, BSDs, etc.
It has a super easy to use syntax compared to ipchains/iptables and anyone who uses it likes it compared to what is on Linux today.
“It will probably become the standard packet filter and will replace iptables/ipchains because it runs on just about every other NIX at this point.. HPUX, Solaris, AIX, BSDs, etc.
It has a super easy to use syntax compared to ipchains/iptables and anyone who uses it likes it compared to what is on Linux today.
”
no. it will not. pf has already been done away with in openbsd and iptables has far more capabilities and native support. its licensing is also stupid. it claims there is a non existant license like gnu public license.
no. it will not. pf has already been done away with in openbsd and iptables has far more capabilities and native support.
PF is the only supported packet filter on OpenBSD. Check out their homepage for crying out loud. And you’re seriously misguided to think that the currently favoured packet filter in Linux is more featureful or capable.
its licensing is also stupid. it claims there is a non existant license like gnu public license.
Tit for tat I guess, all those people saying that BSD means “berkley systems distribution,” when really it stands for “Berkeley Software Distribution.” Of all the unimportant points to nit pick over eh?
“PF is the only supported packet filter on OpenBSD. Check out their homepage for crying out loud. And you’re seriously misguided to think that the currently favoured packet filter in Linux is more featureful or capable. ”
oops. ipfilter is the one being ported to linux now and hence my mistake. i wasnt aware of any linux port of pf. pf is pretty good as it is in openbsd. iptables is more feature rich in linux thou.
any inconsistent terminology in a license is a pretty rich legal issue
? Wow cool. What’s your source? Can’t wait for PF though:)