[geeks] wild article
Rob
rstaab at panix.com
Fri Feb 8 14:12:09 CST 2002
While an interesting idea, the first problem that springs to mind is that
once you now need to do maintenance, change a rule, etc., you have to
bounce the box causing 2 minutes of network downtime. Not good IMHO.
Second problem with this, is that without the swap space, DOS attack are
that much easier since the resources are simple not available to deal with
them. While the author of this paper claims that this is not significantly
worse, I'd been inclined to disagree until I've seen a wroking model hit
with varying levels of attack.
Finally, since only the kernel process is running, all userland processes
are fscked. There goes remote managability unless you intend to rewrite
SSH into a kernel mod. (Another poor idea IMHO.)
This has interesting possibilities in a hardware applicance with boatloads
of memory and a flash rom to store the rulesets. I have just described a
cisco router. :)
It's not a bad idea for a home firewall, however this not a good
production idea.
- Rob
On Fri, 8 Feb 2002, Joshua D Boyd wrote:
> http://www.samag.com/documents/s=1824/sam0201d/0201d.htm
>
> Check that out. Seems kinda far out. I wonder how well it works, and if it
> can be applied to NetBSDs...
>
> Oops, you can't use pppd or rp-pppoe with this method. Oh well. Still looks
> nifty.
>
> --
> Joshua D. Boyd
> _______________________________________________
> GEEKS: http://www.sunhelp.org/mailman/listinfo/geeks
More information about the geeks
mailing list