Re: Firewall tools don't play nice with each other

To: Daniel Pittman <daniel@rimspace.net>
Cc: debian-firewall@lists.debian.org
Subject: Re: Firewall tools don't play nice with each other
From: Russell Hires <rhires@earthlink.net>
Date: Wed, 24 Apr 2002 09:01:28 -0400
Message-id: <[🔎] E170MOp-0000EF-00@localhost>
Reply-to: rhires@earthlink.net
In-reply-to: <[🔎] 87znztlgit.fsf@enki.rimspace.net>
References: <[🔎] E16zH9s-00026z-00@localhost> <[🔎] E170BAp-0000X1-00@localhost> <[🔎] 87znztlgit.fsf@enki.rimspace.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


> > I also meant the packaging of the tools. Part of Debian Policy states
> > that some packages should conflict with other packages.
>
> Yes, where the packages cannot coexist correctly.
>
> > I think that, for example, guarddog should conflict with shorewall
> > firewall. I think that only one should be in place at a time.
>
> Well, that's nice, but /why/ should there only be one in place?

If each package modifies rc.firewall, then I guess it doesn't matter. But I 
don't think they do. I also don't know where they insert themselves in the 
startup sequence. This is the problem that I've had in particular:

I've got two different firewalls in place, at two different points in my 
start up, so I think that one works, but then another is actually doing the 
firewalling. Then, on top of that, I've got PPPoE (which is also a debian 
package), which does its own thing to the firewall/ipchains to enable 
forwarding to the other (private) hosts on my network. I had to go and hunt 
down why the firewalling wasn't working the way that I thought it was because 
of this. This is ultimately what I'm looking at as a problem. It's the last 
firewall script that is run that determines what the rules are. There should 
be some debian policy about that. 

Russell



>
> > When I do apt-get install guarddog, and I've already got shorewall,
> > that I'll get a very specific warning message that I'm playing with
> > firewalls (heh), that this is a security issue, be careful, do I
> > really want to do this, etc.,
>
> That isn't going to stop people cutting themselves if they play with
> knives. Having two knives in the draw is no more dangerous than one...
>
> > and that by choosing to install one, I'll be removing the other one,
> > or no, you can't do this right now, you have to separately choose to
> > remove shorewall first. That's what I meant. :-)
>
> That's still a really bad idea. There is no conflict, either conceptual
> or technical, why two firewalling packages cannot coexist.
>
> > I didn't mean to be clear as mud earlier.
>
> I think that your intention was clear. Your reasoning, OTOH, isn't.
>
>         Daniel

- -- 
Linux -- the OS for the Renaissance Man 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8xqypAqKGrvVshJQRAsCvAJ9vLjABS6e/NPe6m/7yv7Q+iq4XBACg182d
bk9pZ35TK3ln9Ww24Jw2hG0=
=GHDg
-----END PGP SIGNATURE-----


-- 
To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

Follow-Ups:
- Re: Firewall tools don't play nice with each other
  - From: Daniel Pittman <daniel@rimspace.net>

References:
- Firewall tools don't play nice with each other
  - From: Russell Hires <rhires@earthlink.net>
- Re: Firewall tools don't play nice with each other
  - From: Russell Hires <rhires@earthlink.net>
- Re: Firewall tools don't play nice with each other
  - From: Daniel Pittman <daniel@rimspace.net>

Prev by Date: Re: switching to iptables
Next by Date: Re: Firewall tools don't play nice with each other
Previous by thread: Re: Firewall tools don't play nice with each other
Next by thread: Re: Firewall tools don't play nice with each other
Index(es):
- Date
- Thread