Mailing List Archive
tlug.jp Mailing List tlug archive tlug Mailing List Archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]Re: [tlug] iptables - Tools for easy configuration
- Date: Mon, 2 Jul 2007 14:31:33 +0900
- From: "Pietro Zuco" <drzuco@example.com>
- Subject: Re: [tlug] iptables - Tools for easy configuration
- References: <8572e260707010627y2905141ci822b87928a1a10eb@mail.gmail.com> <d8fcc0800707011626x2aad5b99s6e46dbc94a74501d@mail.gmail.com>
On 7/2/07, Josh Glover <jmglov@example.com> wrote:
> That's what I wanted to avoid... > I strongly disagree with iptables front-ends, tools or whatever.
Why? They output a ruleset that you can tweak to your heart's content.
More layers, more abstraction are not good for security, stability and specially for knowledge's sake. Iptables are not so hard to understand, it's not the sendmail.cf and a deep knowledge of what's happening is important. I don't want an admin that don't understand it.
> I think that if someone want to setup a firewall in the easy way there > many tools even with default rules that will match almost every > situation.
Right, so why not use them for the heavy lifting and then worry only about customising special stuff for your site?
I don't know that kind of tools and I will not spend my time learning them. I prefer to use that time playing with GTA. I always try to avoid as much as I can to learn thinks that create a hard dependence with some software, company or whatever.
> 1. That "tools" don't give all the flexibility that iptables gives.
Sure, but nothing stops you from adding that flexibility to the output of the tool.
I still can't see why do I have to use the output of the tool... I don't need that if I know what I'm doing.
> 3. If the admin learn iptables rules he doesn't need to learn any > other rules or syntax of any particular "tool" (Learn Once, Apply > Everywhere and it's not Java ;) )
I hate to say it, but a GUI tool is good for this. No config shite to memorise, just click click click and you have a baseline ruleset.
I see in the opposite direction. Click click click could be enough for a user end system. Maybe we are talking about different scenarios. I'm not talking about the typical desktop in a home connected with the ADSL. I'm talking about firewalls with Linux and specially about iptables in general terms from the administrator point of view. I access to the firewall by a serial port or a ssh connection from the some "secure" segment I don't deal with Gnome to set a rule... well the system doesn't have the X at all.
> 4. The admin only need a terminal to configure it. Many tools need a > graphic environment, or a web server or some scripting language > interpreter installed.
: jmglov@example.com; grep -A 8 '^RDEPEND' \ /usr/portage/net-firewall/firestarter/firestarter-1.0.3.ebuild RDEPEND=">=x11-libs/gtk+-2 >=gnome-base/libgnomeui-2 >=gnome-base/libgnome-2 net-firewall/iptables nls? ( sys-devel/gettext )"
DEPEND="${RDEPEND} dev-util/pkgconfig >=dev-util/intltool-0.21"
For a Gnome desktop, Firestarter looks ideal. I am sure there are ncurses-based tools, as well:
http://freshmeat.net/projects/vuurmuur/
Let's see answer at point 3... I don't care how to see it at Gnome or whatever... I'm not talking about a desktop even.
> 5. Using a tool means that by some way someone can know that the admin > used that "tool" and then try to find some weakness to exploit it.
I agree with this, but again, I am advocating simply using the tool to do the tedious part. You can and should then tweak things for your site.
By this logic, none of us should run Apache; we should all write our own "secure" webservers...
I'm not talking about make a new implementation of Netfilter and a new userland tool to deal with it... I'm just saying that iptables is enough, you can find in almost any distribution, if the admin knows how to configure it, he doesn't depend on third party tools. Using iptables doesn't give my any knowledge beyond the network security and protocols. Programming a Web server force me to know many many more things than just HTTP...
> 6. Tools create an abstraction layer over iptables. Why a network > admin need that kind of abstraction?
See (5).
See point (5) answer ;-)
Why reinvent the wheel? Anyone who has messed with iptables for anything more than just a "deny all, allow SSH" firewall has to write scripts to automate the construction of long chains. Why not use a widely used Open Source script instead; you get the benefit of many eyes making bugs shallow and security flaws more obvious.
It's not reinvent the wheel. It's just using a tool. Iptables is not a programming language interpreter it's only a simple tool created to configure the ruleset in Netfilter... Many eyes are looking for bugs everyday in the Netfilter code, in iptables code and in particular rule configurations... The admin duty is to be informed about that possibilities and to document himself. Sure my rules are not perfect, I can make mistakes, but not all the clients, environments and scenarios are the same. I had to configure systems adhoc for clients and implement the solution based on the scenario. Maybe a tool could b enough, maybe not, but if I have to make a talk about _iptables_ I want to talk about _iptables_ and not about the X funny tool that make my life easy.
What if you screw up in your script and leave a hole in your firewall? Who is reviewing that? No-one, until some cracker comes along and illustrates the hole to you in a sub-optimal (at least from your point of view) way.
That could happen with my script, with the X funny tool, with a bug in Netfilter.... No body is secure enough, only the unplugged machine and even it could be theft...
-Pietro
-- - Pietro Zuco (ピエトロ・ズコ) - - pietro@example.com - Home page: http://www.zuco.org - Photo Blog: http://photo.zuco.org - Linux User: 252836
- Follow-Ups:
- Re: [tlug] iptables - Tools for easy configuration
- From: Josh Glover
- References:
- [tlug] iptables - Tools for easy configuration
- From: Pietro Zuco
- Re: [tlug] iptables - Tools for easy configuration
- From: Josh Glover
Home | Main Index | Thread Index
- Prev by Date: Re: [tlug] Open Source Developers and Users Survey
- Next by Date: Re: [tlug] iptables - Tools for easy configuration
- Previous by thread: Re: [tlug-admin] Re: [tlug] iptables - Tools for easy configuration
- Next by thread: Re: [tlug] iptables - Tools for easy configuration
- Index(es):
Home Page Mailing List Linux and Japan TLUG Members Links