[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: fully transparent ftp-proxy?



On Wed, Oct 30, 2002 at 10:38:09PM +0000, Roy Badami wrote:
> 
>    Uh well, this sounds like a massive performance penalty... I don't think I
>    like that.
> 
> More massive than sending your data through a userland daemon? 
YES YES YES and YES.
it only affects ftp, while a second table of half baked state entries
affects EACH and EVERY packet flowing through the firewall which doesn't
match an existing state.
> If you
> don't use this facility then the performance impact will be
> negligible.
nonsense. it's one lookup to the second table for EACH and EVERY packet
flowing through the firewall which does not match an existing state.
> And if it's functionality that you need, then (like
> ftp-proxy) surely the CPU cost is worth the benefit?
no.
ftp handling is fine as it is. it belongs into userland as it is.
you do not understand the security implications. read about the recent vulns
in packet filtering packages that have (WRONG WRONG WRONG)
in-kernel ftp connection tracking.