Re: Firewall tools don't play nice with each other
-----BEGIN PGP SIGNED MESSAGE-----
> > I also meant the packaging of the tools. Part of Debian Policy states
> > that some packages should conflict with other packages.
> Yes, where the packages cannot coexist correctly.
> > I think that, for example, guarddog should conflict with shorewall
> > firewall. I think that only one should be in place at a time.
> Well, that's nice, but /why/ should there only be one in place?
If each package modifies rc.firewall, then I guess it doesn't matter. But I
don't think they do. I also don't know where they insert themselves in the
startup sequence. This is the problem that I've had in particular:
I've got two different firewalls in place, at two different points in my
start up, so I think that one works, but then another is actually doing the
firewalling. Then, on top of that, I've got PPPoE (which is also a debian
package), which does its own thing to the firewall/ipchains to enable
forwarding to the other (private) hosts on my network. I had to go and hunt
down why the firewalling wasn't working the way that I thought it was because
of this. This is ultimately what I'm looking at as a problem. It's the last
firewall script that is run that determines what the rules are. There should
be some debian policy about that.
> > When I do apt-get install guarddog, and I've already got shorewall,
> > that I'll get a very specific warning message that I'm playing with
> > firewalls (heh), that this is a security issue, be careful, do I
> > really want to do this, etc.,
> That isn't going to stop people cutting themselves if they play with
> knives. Having two knives in the draw is no more dangerous than one...
> > and that by choosing to install one, I'll be removing the other one,
> > or no, you can't do this right now, you have to separately choose to
> > remove shorewall first. That's what I meant. :-)
> That's still a really bad idea. There is no conflict, either conceptual
> or technical, why two firewalling packages cannot coexist.
> > I didn't mean to be clear as mud earlier.
> I think that your intention was clear. Your reasoning, OTOH, isn't.
Linux -- the OS for the Renaissance Man
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
-----END PGP SIGNATURE-----
To UNSUBSCRIBE, email to firstname.lastname@example.org
with a subject of "unsubscribe". Trouble? Contact email@example.com