[tlug] iptables - Tools for easy configuration

["Pietro Zuco" <drzuco@example.com>]

This is a discussion started at the admin list. I had in mind to make
a talk about iptables but I prefer to make it maybe in September just
to have more time. So Josh proposed "But why is a basic iptables
firewall not a Lightning-able subject?"

Josh proposed to talk about some tools that make iptables
configuration easy and it match perfectly for a lighting talk.
Actually I agree with him about that. I mean "for a lighting talk,
explain the use of some powerful tool to configure it will be perfect"
But I gave my own opinion about "tools" to configure iptables, so the
discussion continue in that direction and as Stephen pointed out it
would be better to move it to the main list.

After this introduction I paste the text of the post that started the
discussion.

On 6/30/07, Josh Glover wrote:

> I think beyond the basic level, people would be better served by using
> a tool like Firestarter and tweaking the output.

That's what I wanted to avoid...
I strongly disagree with iptables front-ends, tools or whatever.
I understand that for many people iptables rules can be a little hard
to understand by my talk was not directed to a public that will get
scarred by some rules. It was intended for people that was interested
in iptables and until now they didn't have time learn it or just
didn't understand it or just want to start using it.

I think that if someone want to setup a firewall in the easy way there
many tools even with default rules that will match almost every
situation. In that case an iptables talk won't worth the effort. For
the people interested in setup the basic home firewall, maybe a basic
networking talk will be enough.

Why do I strongly disagree with the iptables tools or front-ends?

1. That "tools" don't give all the flexibility that iptables gives.
2. Almost all the distributions have iptables packages and it's
usually installed by default.
3. If the admin learn iptables rules he doesn't need to learn any
other rules or syntax of any particular "tool" (Learn Once, Apply
Everywhere and it's not Java ;) )
4. The admin only need a terminal to configure it. Many tools need a
graphic environment, or a web server or some scripting language
interpreter installed.
5. Using a tool means that by some way someone can know that the admin
used that "tool" and then try to find some weakness to exploit it.
6. Tools create an abstraction layer over iptables. Why a network
admin need that kind of abstraction?
7. If someone is responsible about security, I can't understand why
need to look for an "easy tool" or some graphic, visual, web based of
whatever. The responsible person is suppose to have all the technical
background necessary to understand the problem and find the solution.
I setup many firewalls, I don't consider myself an iptables guru and
for really complex systems I spent a lot of time listen to the humid
dreams of the client, listen to the fantasies of some "admin", listen
to my boss fantasies and psychedelic dreams and after all that tired
process, the job to setup the rules didn't take more than 2 hours. So
for simple environments it doesn't take more than 30 minutes to setup
a basic firewall.

I don't want to be misunderstand. I'm not in the position of some
administrators that think that use a heavy and unpractical environment
determines the technical or expertise level of someone. I'm really
talking about time, security and flexibility and until now I think
that with a strong understanding of iptables, any tool or front-ends
are not really necessary.

I don't know Firestarter. There are hundreds of tools to do it easy,
maybe it's really great but personally I prefer to setup my own rules
and scripts.

And for the opinions that say that using some well know tool will make
easy for other administrators to continue the job of maintenance, I
disagree.
With a well organized, documented and clean programmed scripts it's
really easy to maintain it by other people.



--
- Pietro Zuco (ピエトロ・ズコ)
-
- pietro@example.com
- Home page: http://www.zuco.org
- Photo Blog: http://photo.zuco.org
- Linux User: 252836