Re: [tlug] iptables - Tools for easy configuration

["Pietro Zuco" <drzuco@example.com>]

On 7/2/07, Josh Glover <jmglov@example.com> wrote:

> > That's what I wanted to avoid...
> > I strongly disagree with iptables front-ends, tools or whatever.
>
> Why? They output a ruleset that you can tweak to your heart's content.

More layers, more abstraction are not good for security, stability and
specially for knowledge's sake. Iptables are not so hard to
understand, it's not the sendmail.cf and a deep knowledge of what's
happening is important.
I don't want an admin that don't understand it.

> > I think that if someone want to setup a firewall in the easy way there
> > many tools even with default rules that will match almost every
> > situation.
>
> Right, so why not use them for the heavy lifting and then worry only
> about customising special stuff for your site?

I don't know that kind of tools and I will not spend my time learning
them. I prefer to use that time playing with GTA. I always try to
avoid as much as I can to learn thinks that create a hard dependence
with some software, company or whatever.

> > 1. That "tools" don't give all the flexibility that iptables gives.
>
> Sure, but nothing stops you from adding that flexibility to the output
> of the tool.

I still can't see why do I have to use the output of the tool... I
don't need that if I know what I'm doing.

> > 3. If the admin learn iptables rules he doesn't need to learn any
> > other rules or syntax of any particular "tool" (Learn Once, Apply
> > Everywhere and it's not Java ;) )
>
> I hate to say it, but a GUI tool is good for this. No config shite to
> memorise, just click click click and you have a baseline ruleset.

I see in the opposite direction.
Click click click could be enough for a user end system.
Maybe we are talking about different scenarios. I'm not talking about
the typical desktop in a home connected with the ADSL.
I'm talking about firewalls with Linux and specially about iptables in
general terms from the administrator point of view.
I access to the firewall by a serial port or a ssh connection from the
some "secure" segment I don't deal with Gnome to set a rule... well
the system doesn't have the X at all.

> > 4. The admin only need a terminal to configure it. Many tools need a
> > graphic environment, or a web server or some scripting language
> > interpreter installed.
>
> : jmglov@example.com; grep -A 8 '^RDEPEND' \
>  /usr/portage/net-firewall/firestarter/firestarter-1.0.3.ebuild
> RDEPEND=">=x11-libs/gtk+-2
>        >=gnome-base/libgnomeui-2
>        >=gnome-base/libgnome-2
>        net-firewall/iptables
>        nls? ( sys-devel/gettext )"
>
> DEPEND="${RDEPEND}
>        dev-util/pkgconfig
>        >=dev-util/intltool-0.21"
>
> For a Gnome desktop, Firestarter looks ideal. I am sure there are
> ncurses-based tools, as well:
>
> http://freshmeat.net/projects/vuurmuur/

Let's see answer at point 3... I don't care how to see it at Gnome or
whatever... I'm not talking about a desktop even.

> > 5. Using a tool means that by some way someone can know that the admin
> > used that "tool" and then try to find some weakness to exploit it.
>
> I agree with this, but again, I am advocating simply using the tool to
> do the tedious part. You can and should then tweak things for your
> site.
>
> By this logic, none of us should run Apache; we should all write our
> own "secure" webservers...

I'm not talking about make a new implementation of Netfilter and a new
userland tool to deal with it...
I'm just saying that iptables is enough, you can find in almost any
distribution, if the admin knows how to configure it, he doesn't
depend on third party tools.  Using iptables doesn't give my any
knowledge beyond the network security and protocols.
Programming a Web server force me to know many many more things than
just HTTP...

> > 6. Tools create an abstraction layer over iptables. Why a network
> > admin need that kind of abstraction?
>
> See (5).

See point (5) answer ;-)

> Why reinvent the wheel? Anyone who has messed with iptables for
> anything more than just a "deny all, allow SSH" firewall has to write
> scripts to automate the construction of long chains. Why not use a
> widely used Open Source script instead; you get the benefit of many
> eyes making bugs shallow and security flaws more obvious.

It's not reinvent the wheel. It's just using a tool. Iptables is not a
programming language interpreter it's only a simple tool created to
configure the ruleset in Netfilter...
Many eyes are looking for bugs everyday in the Netfilter code, in
iptables code and in particular rule configurations...
The admin duty is to be informed about that possibilities and to
document himself.
Sure my rules are not perfect, I can make mistakes, but not all the
clients, environments and scenarios are the same. I had to configure
systems adhoc for clients and implement the solution based on the
scenario.
Maybe a tool could b enough, maybe not, but if I have to make a talk
about _iptables_ I want to talk about _iptables_ and not about the X
funny tool that make my life easy.

> What if you screw up in your script and leave a hole in your firewall?
> Who is reviewing that? No-one, until some cracker comes along and
> illustrates the hole to you in a sub-optimal (at least from your point
> of view) way.

That could happen with my script, with the X funny tool, with a bug in
Netfilter.... No body is secure enough, only the unplugged machine and
even it could be theft...

      -Pietro

--
- Pietro Zuco (ピエトロ・ズコ)
-
- pietro@example.com
- Home page: http://www.zuco.org
- Photo Blog: http://photo.zuco.org
- Linux User: 252836