I opened my mouth and admitted that my firewall (not a general purpose Linux machine) is still running Redhat 9. It was built when Redhat 9 was the latest version available and it was patched religiously until the legacy project up and died.
There are only a few processes running on that machine none of which has any outstanding security vulnerabilities reported against it. It rejects almost all known ports and the few it doesn't reject are almost all forwarded to another machines which are kept current. Dnsmasq is one of the processes running on that machine as it makes sense (to me) for it to be on that machine. In my experience, 90% of kernel updates are for new hardware or new feature support. Once a given kernel version is stable (by which I mean all known vulnerabilities have been patched, the other 10%of the updates), there's little to be gained if the new hardware or new features aren't required. > Running firewalls on outdated kernels is as dangerous as it can get - some > code injection might disable your firewall and then expose your whole LAN. > Brad's practice however is misguided in itself. > He was talking to Brad Morgan, who by his own admission does not install kernel updates > on his firewall running RH9 Rather than make rash one-line statements about my firewall policies (which are not the same policies I use on numerous other systems I am responsible for), please put forth some valid arguments as to why my firewall kernel (2.4.20-46.9.legacy) is any less secure than one which is running a more up-to-date kernel version. I have a database of over 1,000,000 unsuccessful attempts at penetrating my firewall since it was built. I can also point to numerous firewall appliances and firewall specific Linux distributions that are still running a 2.4 kernel. I believe in this application, newer is not always better. Regards, Brad
