[ale] stateful firewall?

[John Wells]

I've been working for the past day or so on setting up
ipchains to use as my company's firewall.  Then the
one of our senior IT guys came by and said "Linux
boxes don't make firewalls.  They make good proxies,
but not firewalls.  Linux has no stateful firewalls".

Ok.  I'm a programmer, not an IT OP guy, but I'm one
of the few people around here who know *nix (we're
primarily a windows shop).  One of the things I and a
few other developers around here have been trying to
do is make as many excuses for Linux boxes as
possible.  The senior IT guy wants us to wait for a
Solaris box from corporate.

I know in Bob Toxen's book it's mentioned that the 2.4
kernel provides a stateful firewall capability called
NETFILTER.  Has anyone had any experience with this? 
Good/bad?  Is it stable enough to use in a production
environment?

If it is stable enough, we have installed RH 7.1,
which uses the 2.4, so we're good to go.  However, the
IT guy also seems to think that all linux
distributions have too many holes (with the exception
of the NSA's distribution, which he mentioned in
passing).  It was my impression that I could disable
pretty much every service on the box (with the
exception of those that *have* to be running to
function as a firewall) and we'd be pretty secure.  Is
this not the case?

Ok, final question.  Assuming NETFILTER is *not* ready
for production, are there any open source stateful
firewalls that are?

Thanks! 
John

__________________________________________________
Do You Yahoo!?
Make a great connection at Yahoo! Personals.
http://personals.yahoo.com

---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.