Re: [tlug] iptables - Tools for easy configuration

["Josh Glover" <jmglov@example.com>]

On 01/07/07, Pietro Zuco <drzuco@example.com> wrote:

> That's what I wanted to avoid...
> I strongly disagree with iptables front-ends, tools or whatever.

Why? They output a ruleset that you can tweak to your heart's content.

> I think that if someone want to setup a firewall in the easy way there
> many tools even with default rules that will match almost every
> situation.

Right, so why not use them for the heavy lifting and then worry only
about customising special stuff for your site?

> 1. That "tools" don't give all the flexibility that iptables gives.

Sure, but nothing stops you from adding that flexibility to the output
of the tool.

> 3. If the admin learn iptables rules he doesn't need to learn any
> other rules or syntax of any particular "tool" (Learn Once, Apply
> Everywhere and it's not Java ;) )

I hate to say it, but a GUI tool is good for this. No config shite to
memorise, just click click click and you have a baseline ruleset.

> 4. The admin only need a terminal to configure it. Many tools need a
> graphic environment, or a web server or some scripting language
> interpreter installed.

: jmglov@example.com; grep -A 8 '^RDEPEND' \
/usr/portage/net-firewall/firestarter/firestarter-1.0.3.ebuild
RDEPEND=">=x11-libs/gtk+-2
      >=gnome-base/libgnomeui-2
      >=gnome-base/libgnome-2
      net-firewall/iptables
      nls? ( sys-devel/gettext )"

DEPEND="${RDEPEND}
      dev-util/pkgconfig
      >=dev-util/intltool-0.21"

For a Gnome desktop, Firestarter looks ideal. I am sure there are
ncurses-based tools, as well:

http://freshmeat.net/projects/vuurmuur/

> 5. Using a tool means that by some way someone can know that the admin
> used that "tool" and then try to find some weakness to exploit it.

I agree with this, but again, I am advocating simply using the tool to
do the tedious part. You can and should then tweak things for your
site.

By this logic, none of us should run Apache; we should all write our
own "secure" webservers...

> 6. Tools create an abstraction layer over iptables. Why a network
> admin need that kind of abstraction?

See (5).

> 7. If someone is responsible about security, I can't understand why
> need to look for an "easy tool" or some graphic, visual, web based of
> whatever.

See (5).

> With a well organized, documented and clean programmed scripts it's
> really easy to maintain it by other people.

Why reinvent the wheel? Anyone who has messed with iptables for
anything more than just a "deny all, allow SSH" firewall has to write
scripts to automate the construction of long chains. Why not use a
widely used Open Source script instead; you get the benefit of many
eyes making bugs shallow and security flaws more obvious.

What if you screw up in your script and leave a hole in your firewall?
Who is reviewing that? No-one, until some cracker comes along and
illustrates the hole to you in a sub-optimal (at least from your point
of view) way.

Let's move this discussion to the main list and repost these last two;
I think the list at large probably has some interesting opinions on
this subject.

--
Cheers,
Josh