Re: [tlug] iptables - Tools for easy configuration

["Josh Glover" <jmglov@example.com>]

On 02/07/07, Pietro Zuco <drzuco@example.com> wrote:

> More layers, more abstraction are not good for security, stability and
> specially for knowledge's sake.

I am not talking about abstraction here, I am talking about using
tools to generate a baseline that you then modify to suit your needs.

You admit yourself that you use scripts that you have written for this
purpose, and I suggest that your scripts are inferior to Firestarter,
because the latter has been reviewed by the community, whereas your
scripts have not. Therefore, I would not trust your scripts-or my
scripts, for that matter--to not be riddled with security holes. And
that means that your firewall is not as good as one generated by
Firestarter.

And believe you me, Firestarter is popular enough to have been
reviewed by security experts.

> Iptables are not so hard to understand,

No, but they are time-consuming and error-prone to write by hand. That
is why all old iptables hands know the "set up a cronjob that runs
'iptables -X' every five minutes until you get your rules right"
trick.

> it's not the sendmail.cf and a deep knowledge of what's
> happening is important.
> I don't want an admin that don't understand it.

Sendmail is actually a great example, because no one in his right mind
would write a sendmail.cf manually. But you'd better be able to
understand a sendmail.cf when you read it.

Any admin that understands iptables rulesets certainly has the
knowledge to build one, but I think, like LFS or Gentoo Stage 1, it is
a complete waste of time except as a learning exercise, which you do
once.

> I don't know that kind of tools and I will not spend my time learning
> them. I prefer to use that time playing with GTA. I always try to
> avoid as much as I can to learn thinks that create a hard dependence
> with some software, company or whatever.

Yeah, because Firestarter is closed source and the authors can just
take it away, right?

Oh wait... wrong.

By not spending the literally two seconds to "learn" Firestarter,
which is the time it takes to figure out which binary to execute, you
are wasting a lot of time writing your scripts and iptables rules by
hand, and your sites are *less* secure to boot.

> I still can't see why do I have to use the output of the tool... I
> don't need that if I know what I'm doing.

No, but you need that if you are a sysadmin. Remember, the goal of the
game is to automate yourself right out of a job. The only thing that
should interrupt your Slashdot / SecurityFocus / Schneier on Security
/ Ranum.com reading is your pager letting you know that some k1dd13
has been caught in your honeypot. ;)

> I'm talking about firewalls with Linux and specially about iptables in
> general terms from the administrator point of view.

Yeah, me too. I just bring up Firestarter a lot because most of the
people on this list are not systems or network admins. Firestarter is
more topical to them.

> I access to the firewall by a serial port or a ssh connection from the
> some "secure" segment I don't deal with Gnome to set a rule... well
> the system doesn't have the X at all.

So use one of the ncurses-based tools. The point is to use a popular
tool that has been through the review wringer.

> > For a Gnome desktop, Firestarter looks ideal. I am sure there are
> > ncurses-based tools, as well:
> >
> > http://freshmeat.net/projects/vuurmuur/
>
> Let's see answer at point 3... I don't care how to see it at Gnome or
> whatever... I'm not talking about a desktop even.

Did you click on the http://freshmeat.net/projects/vuurmuur/ link or
read the sentence that preceded it?

> Sure my rules are not perfect, I can make mistakes, but not all the
> clients, environments and scenarios are the same. I had to configure
> systems adhoc for clients and implement the solution based on the
> scenario.

If you make mistakes, then your firewall is worthless. If you use a
tool to generate the baseline, you can be much more confident that at
least the baseline portion will be secure.

> Maybe a tool could b enough, maybe not, but if I have to make a talk
> about _iptables_ I want to talk about _iptables_ and not about the X
> funny tool that make my life easy.

Um, I am not suggesting that you talk about "X funny tool" at all.
Just use the tool to create a basic ruleset, and *show us* the rules.
Explain them. Explain how to modify them. That is interesting and
useful.

> > What if you screw up in your script and leave a hole in your firewall?
> > Who is reviewing that? No-one, until some cracker comes along and
> > illustrates the hole to you in a sub-optimal (at least from your point
> > of view) way.
>
> That could happen with my script, with the X funny tool, with a bug in
> Netfilter.... No body is secure enough, only the unplugged machine and
> even it could be theft...

Yeah, but it is a question of risk management. Publicly reviewed code
and algorithms are more secure than your home-brewed stuff, period.
Period. End of discussion.

I am not saying they are %100 secure, I am saying they are more secure.

BTW, I do not necessarily think you are wrong here, but my POV is
quite different. Which gives me an idea... stay tuned!

--
Cheers,
Josh