Mailing List Archive
tlug.jp
Mailing List
tlug archive
tlug Mailing List Archive
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [tlug] iptables - Tools for easy configuration
- Date: Mon, 2 Jul 2007 18:01:17 +0900
- From: "Pietro Zuco" <drzuco@example.com>
- Subject: Re: [tlug] iptables - Tools for easy configuration
- References: <8572e260707010627y2905141ci822b87928a1a10eb@mail.gmail.com> <d8fcc0800707011626x2aad5b99s6e46dbc94a74501d@mail.gmail.com> <8572e260707012231s4c7a5e12n2f34abebf09d9604@mail.gmail.com> <d8fcc0800707020009j457ce185h13e3c0e0bc521d30@mail.gmail.com>
On 7/2/07, Josh Glover <jmglov@example.com> wrote:
You admit yourself that you use scripts that you have written for this purpose, and I suggest that your scripts are inferior to Firestarter, because the latter has been reviewed by the community, whereas your scripts have not.
Sure you are right.
And believe you me, Firestarter is popular enough to have been reviewed by security experts.
I believe.
No, but they are time-consuming and error-prone to write by hand. That is why all old iptables hands know the "set up a cronjob that runs 'iptables -X' every five minutes until you get your rules right" trick.
Yes you are right, they are error-prone.
Yeah, because Firestarter is closed source and the authors can just take it away, right?
No, I just didn't read the web page :-)
By not spending the literally two seconds to "learn" Firestarter, which is the time it takes to figure out which binary to execute, you are wasting a lot of time writing your scripts and iptables rules by hand, and your sites are *less* secure to boot.
You are right.
> I still can't see why do I have to use the output of the tool... I > don't need that if I know what I'm doing.
No, but you need that if you are a sysadmin. Remember, the goal of the game is to automate yourself right out of a job. The only thing that should interrupt your Slashdot / SecurityFocus / Schneier on Security / Ranum.com reading is your pager letting you know that some k1dd13 has been caught in your honeypot. ;)
Agree
Yeah, me too. I just bring up Firestarter a lot because most of the people on this list are not systems or network admins. Firestarter is more topical to them.
I only want to talk about iptables.... Not Firestarter, Firestopper, Fire-whatever, shorewall, stonegate...... just iptables.
So use one of the ncurses-based tools. The point is to use a popular tool that has been through the review wringer.
Agree
Did you click on the http://freshmeat.net/projects/vuurmuur/ link or read the sentence that preceded it?
I didn't, I'm going to...
If you make mistakes, then your firewall is worthless. If you use a tool to generate the baseline, you can be much more confident that at least the baseline portion will be secure.
Agree
Um, I am not suggesting that you talk about "X funny tool" at all. Just use the tool to create a basic ruleset, and *show us* the rules.
That's what I don't want to do. I want to talk about iptables, so the people that are interested to that can learn how to configure it. Only that. I don't want to use _any_ tool. After the people learn how to use iptables, how the syntax works, and so forth, they are ready to look for the best tool that fit their needs. I don't want to teach a child how to write on a computer before show him how to write by hand.
Explain them. Explain how to modify them. That is interesting and useful.
Yes but without any tool I'm sorry :-)
Yeah, but it is a question of risk management. Publicly reviewed code and algorithms are more secure than your home-brewed stuff, period. Period. End of discussion.
You are right. I started 2 years ago a project that had never end by lack of time and money, to make a "tool" to make firewall configuration easy...
You are right in your position Josh but I have to persist in this points.
1. I wanted to talk about iptables, nothig more, nothing less. For the people that wanted to learn iptables. 2. I strongly recommend for the people that want to start learning firewalls on linux, it's better to learn iptables _first_ and then use whatever tool they like. 3. My scripts and yours and whoever are less secure that any tool revised by experts, but my scripts and yours will be always more "flexible" that any one created with an aid tool. I don't mean to edit rules to the ones generated by your tool. I mean in general terms, with any kind of GUI, ncurses, whatever, you have a path and only that path. A lot of possibilities, but always a restricted set of configurations.
I am not saying they are %100 secure, I am saying they are more secure.
You are right ;-)
-- - Pietro Zuco (ピエトロ・ズコ) - - pietro@example.com - Home page: http://www.zuco.org - Photo Blog: http://photo.zuco.org - Linux User: 252836
- References:
- [tlug] iptables - Tools for easy configuration
- From: Pietro Zuco
- Re: [tlug] iptables - Tools for easy configuration
- From: Josh Glover
- Re: [tlug] iptables - Tools for easy configuration
- From: Pietro Zuco
- Re: [tlug] iptables - Tools for easy configuration
- From: Josh Glover
- [tlug] iptables - Tools for easy configuration
- Prev by Date: Re: [tlug] iptables - Tools for easy configuration
- Next by Date: [tlug] iptables - Tools for easy configuration
- Previous by thread: Re: [tlug] iptables - Tools for easy configuration
- Next by thread: Re: [tlug] iptables - Tools for easy configuration
- Index(es):
| Home Page | Mailing List | Linux and Japan | TLUG Members | Links |