Mailing List Archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [tlug] iptables - Tools for easy configuration



On 02/07/07, Pietro Zuco <drzuco@example.com> wrote:

More layers, more abstraction are not good for security, stability and
specially for knowledge's sake.

I am not talking about abstraction here, I am talking about using tools to generate a baseline that you then modify to suit your needs.

You admit yourself that you use scripts that you have written for this
purpose, and I suggest that your scripts are inferior to Firestarter,
because the latter has been reviewed by the community, whereas your
scripts have not. Therefore, I would not trust your scripts-or my
scripts, for that matter--to not be riddled with security holes. And
that means that your firewall is not as good as one generated by
Firestarter.

And believe you me, Firestarter is popular enough to have been
reviewed by security experts.

Iptables are not so hard to understand,

No, but they are time-consuming and error-prone to write by hand. That is why all old iptables hands know the "set up a cronjob that runs 'iptables -X' every five minutes until you get your rules right" trick.

it's not the sendmail.cf and a deep knowledge of what's
happening is important.
I don't want an admin that don't understand it.

Sendmail is actually a great example, because no one in his right mind would write a sendmail.cf manually. But you'd better be able to understand a sendmail.cf when you read it.

Any admin that understands iptables rulesets certainly has the
knowledge to build one, but I think, like LFS or Gentoo Stage 1, it is
a complete waste of time except as a learning exercise, which you do
once.

I don't know that kind of tools and I will not spend my time learning
them. I prefer to use that time playing with GTA. I always try to
avoid as much as I can to learn thinks that create a hard dependence
with some software, company or whatever.

Yeah, because Firestarter is closed source and the authors can just take it away, right?

Oh wait... wrong.

By not spending the literally two seconds to "learn" Firestarter,
which is the time it takes to figure out which binary to execute, you
are wasting a lot of time writing your scripts and iptables rules by
hand, and your sites are *less* secure to boot.

I still can't see why do I have to use the output of the tool... I
don't need that if I know what I'm doing.

No, but you need that if you are a sysadmin. Remember, the goal of the game is to automate yourself right out of a job. The only thing that should interrupt your Slashdot / SecurityFocus / Schneier on Security / Ranum.com reading is your pager letting you know that some k1dd13 has been caught in your honeypot. ;)

I'm talking about firewalls with Linux and specially about iptables in
general terms from the administrator point of view.

Yeah, me too. I just bring up Firestarter a lot because most of the people on this list are not systems or network admins. Firestarter is more topical to them.

I access to the firewall by a serial port or a ssh connection from the
some "secure" segment I don't deal with Gnome to set a rule... well
the system doesn't have the X at all.

So use one of the ncurses-based tools. The point is to use a popular tool that has been through the review wringer.

> For a Gnome desktop, Firestarter looks ideal. I am sure there are
> ncurses-based tools, as well:
>
> http://freshmeat.net/projects/vuurmuur/

Let's see answer at point 3... I don't care how to see it at Gnome or
whatever... I'm not talking about a desktop even.

Did you click on the http://freshmeat.net/projects/vuurmuur/ link or read the sentence that preceded it?

Sure my rules are not perfect, I can make mistakes, but not all the
clients, environments and scenarios are the same. I had to configure
systems adhoc for clients and implement the solution based on the
scenario.

If you make mistakes, then your firewall is worthless. If you use a tool to generate the baseline, you can be much more confident that at least the baseline portion will be secure.

Maybe a tool could b enough, maybe not, but if I have to make a talk
about _iptables_ I want to talk about _iptables_ and not about the X
funny tool that make my life easy.

Um, I am not suggesting that you talk about "X funny tool" at all. Just use the tool to create a basic ruleset, and *show us* the rules. Explain them. Explain how to modify them. That is interesting and useful.

> What if you screw up in your script and leave a hole in your firewall?
> Who is reviewing that? No-one, until some cracker comes along and
> illustrates the hole to you in a sub-optimal (at least from your point
> of view) way.

That could happen with my script, with the X funny tool, with a bug in
Netfilter.... No body is secure enough, only the unplugged machine and
even it could be theft...

Yeah, but it is a question of risk management. Publicly reviewed code and algorithms are more secure than your home-brewed stuff, period. Period. End of discussion.

I am not saying they are %100 secure, I am saying they are more secure.

BTW, I do not necessarily think you are wrong here, but my POV is
quite different. Which gives me an idea... stay tuned!

--
Cheers,
Josh


Home | Main Index | Thread Index

Home Page Mailing List Linux and Japan TLUG Members Links