[Dnsmasq-discuss] Kernel security requirements for a firewall

[Brad Morgan]

I opened my mouth and admitted that my firewall (not a general purpose Linux
machine) is still running Redhat 9. It was built when Redhat 9 was the
latest version available and it was patched religiously until the legacy
project up and died.

There are only a few processes running on that machine none of which has any
outstanding security vulnerabilities reported against it. It rejects almost
all known ports and the few it doesn't reject are almost all forwarded to
another machines which are kept current. Dnsmasq is one of the processes
running on that machine as it makes sense (to me) for it to be on that
machine. 

In my experience, 90% of kernel updates are for new hardware or new feature
support. Once a given kernel version is stable (by which I mean all known
vulnerabilities have been patched, the other 10%of the updates), there's
little to be gained if the new hardware or new features aren't required.

> Running firewalls on outdated kernels is as dangerous as it can get - some
> code injection might disable your firewall and then expose your whole LAN.

> Brad's practice however is misguided in itself.

> He was talking to Brad Morgan, who by his own admission does not install
kernel updates 
> on his firewall running RH9

Rather than make rash one-line statements about my firewall policies (which
are not the same policies I use on numerous other systems I am responsible
for), please put forth some valid arguments as to why my firewall kernel
(2.4.20-46.9.legacy) is any less secure than one which is running a more
up-to-date kernel version.

I have a database of over 1,000,000 unsuccessful attempts at penetrating my
firewall since it was built. I can also point to numerous firewall
appliances and firewall specific Linux distributions that are still running
a 2.4 kernel. I believe in this application, newer is not always better.

Regards,

Brad