[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Firewall tools don't play nice with each other

On Tue, 23 Apr 2002, Russell Hires wrote:

[...rewritten to conform to RFC822 -- replies /below/ bodies...]

> On Tuesday 23 April 2002 10:45 am, Laurence J. Lane wrote:
>> On Sun, Apr 21, 2002 at 09:13:28AM -0400, Russell Hires wrote:
>> > I've been playing with the various firewall tools that are a part
>> > of debian, and I'm surprised by something: None of them conflict
>> > with each other, and I think they should.  Rather than filing bug
>> > reports for each different tool, I was thinking that there should
>> > be some sort of conference between all of the firewall tool
>> > maintainers so that they can coordinate a firewall policy of some
>> > kind, and so that their firewall tools will play nice with each
>> > other.
>> Do you mean ipfwadm, ipchains, and iptables? There is no technical
>> conflict between them.
>> > Is such a thing feasable? If so, how would one go about organizing
>> > such a thing? Any advice out there? Is this even a good idea?
>> Based on the information given so far, I do not see it as a good
>> idea.
> Hmmm....I meant the GUI tools, and even a few of the command line
> ones. Not specifically ipchains or iptables. 


> I also meant the packaging of the tools. Part of Debian Policy states
> that some packages should conflict with other packages. 

Yes, where the packages cannot coexist correctly.

> I think that, for example, guarddog should conflict with shorewall
> firewall. I think that only one should be in place at a time. 

Well, that's nice, but /why/ should there only be one in place?

> When I do apt-get install guarddog, and I've already got shorewall,
> that I'll get a very specific warning message that I'm playing with
> firewalls (heh), that this is a security issue, be careful, do I
> really want to do this, etc., 

That isn't going to stop people cutting themselves if they play with
knives. Having two knives in the draw is no more dangerous than one...

> and that by choosing to install one, I'll be removing the other one,
> or no, you can't do this right now, you have to separately choose to
> remove shorewall first. That's what I meant. :-)

That's still a really bad idea. There is no conflict, either conceptual
or technical, why two firewalling packages cannot coexist.

> I didn't mean to be clear as mud earlier.

I think that your intention was clear. Your reasoning, OTOH, isn't.


When I admire the wonder of a sunset or the beauty of the moon,
my soul expands in worship of the Creator.
        -- Mohandas K. Gandhi

To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: