Curtis Doty pÃÅe v St 08. 12. 2010 v 01:02 -0800: > Monday Miloslav Trma said: > > > Just disable the firewall and you'll get pretty much equivalent > > functionality. > > How? Now that the filter table and stateful connection tracking, aren't > modules anymore. They now appear to be built monolithic into the Fedora > kernel. a) you trust the in-kernel firewall state connection tracking to track connection state and handle unexpected packets according to the firewall configuration. b) you trust the in-kernel protocol stack (TCP/UDP) to track connection state and handle unexpected packets according to ordinary rules of the protocol. Is there a significant difference? I don't know. The protocol stack code might be more complex and thus more risky, on the other hand the firewall state tracking is an additional code that is activated only for the firewall and can also contain bugs. Yes, there is a difference in code, but the resulting difference in security seems quite small to me. Mirek -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
