[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Firewall tools don't play nice with each other

Hash: SHA1

> > I also meant the packaging of the tools. Part of Debian Policy states
> > that some packages should conflict with other packages.
> Yes, where the packages cannot coexist correctly.
> > I think that, for example, guarddog should conflict with shorewall
> > firewall. I think that only one should be in place at a time.
> Well, that's nice, but /why/ should there only be one in place?

If each package modifies rc.firewall, then I guess it doesn't matter. But I 
don't think they do. I also don't know where they insert themselves in the 
startup sequence. This is the problem that I've had in particular:

I've got two different firewalls in place, at two different points in my 
start up, so I think that one works, but then another is actually doing the 
firewalling. Then, on top of that, I've got PPPoE (which is also a debian 
package), which does its own thing to the firewall/ipchains to enable 
forwarding to the other (private) hosts on my network. I had to go and hunt 
down why the firewalling wasn't working the way that I thought it was because 
of this. This is ultimately what I'm looking at as a problem. It's the last 
firewall script that is run that determines what the rules are. There should 
be some debian policy about that. 


> > When I do apt-get install guarddog, and I've already got shorewall,
> > that I'll get a very specific warning message that I'm playing with
> > firewalls (heh), that this is a security issue, be careful, do I
> > really want to do this, etc.,
> That isn't going to stop people cutting themselves if they play with
> knives. Having two knives in the draw is no more dangerous than one...
> > and that by choosing to install one, I'll be removing the other one,
> > or no, you can't do this right now, you have to separately choose to
> > remove shorewall first. That's what I meant. :-)
> That's still a really bad idea. There is no conflict, either conceptual
> or technical, why two firewalling packages cannot coexist.
> > I didn't mean to be clear as mud earlier.
> I think that your intention was clear. Your reasoning, OTOH, isn't.
>         Daniel

- -- 
Linux -- the OS for the Renaissance Man 
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org


To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: