Re: [RFR] apf-firewall package
Giuseppe Iuculano wrote:
> I would be glad if someone could have a quick look at the following
> descriptions:
>
> Description: easy iptables based firewall system
What, so a firewall set up by APF-firewall is an "Advanced Policy
Firewall firewall" firewall? That's taking PIN-numberism a bit too
far. Still, probably not worth trying to fix it.
I think I'd hyphenate iptables-based. Then again, what other than
iptables is it possible for a current Debian firewall package to
use? Maybe in principle it could provide a predefined netfilter
firewall via extra kernel modules... so the point is that it's not
that, it's an ordinary userspace firewall setup mechanism. In which
case, maybe it should be:
Description: easy firewall setup system
Mind you, I don't see any particular justification below for the
"easy" part, given that it expects me to perform day-to-day
administration on the commandline...
> Advanced Policy Firewall (APF) is an iptables (netfilter) based firewall
> system designed around the essential needs of today's Internet deployed
> servers and the unique needs of custom deployed Linux installations.
This feels like empty rhetoric. If "Internet-deployed" means...
um... "with a net connection" and "custom-deployed" means... uh...
"installed by somebody who was awake at the time", why are they two
distinct sets of computers, one with "essential needs" and the other
with "unique needs"? It seems to boil down to:
Advanced Policy Firewall (APF) is designed around the needs of
Linux installations with net connections.
Or since un-networked Windows boxes don't have access to the apt
repositories anyway, I'd consider throwing it away and starting
again. How about putting this together with the short description:
APF's primary selling point (in the name) is that it's advanced, and
the claim that it's easy is secondary. So turn it around:
Description: Advanced Policy Firewall
Advanced Policy Firewall (APF) provides an easy-to-use firewall system
for today's Linux servers.
> The
> configuration of APF is designed to be very informative and present the
> user with an easy to follow process, from top to bottom of the
> configuration file.
When it says "The configuration of APF", that could mean
* the overall organisation of APF
* the install-time configuration scripts for apf-firewall
* /etc/apf.conf (or whatever it's called)
Given that it's "informative", it has to mean the third one, I
think. In which case, trimming verbiage, it's
Its configuration file is designed to be informative and easy to
follow.
> The management of APF on a day-to-day basis is
> conducted from the command line with the 'apf' command, which includes
> detailed usage information and all the features one would expect from a
> current and forward thinking firewall solution.
> Summary of features:
Day-to-day administration is conducted via the 'apf' command,
which features:
Then list the features and let users make up their own minds about
whether there are any missing.
> * detailed and well commented configuration file
What does it mean to say that apf.conf is _detailed_? This is
redundant; either drop this bulletpoint or the previous sentence
about its very informative config.
> * granular inbound and outbound network filtering
> * user id based outbound network filtering
> * application based network filtering
Too many network filterings. Combine the second and third into:
* filtering on the basis of UIDs or applications;
> * trust based rule files with an optional advanced syntax
I'm not sure I follow in what sense the rule files are trust based,
or how the advanced syntax is optional...
> * global trust system where rules can be downloaded from a central
> management server
"Global trust" is exactly what I don't want in my firewall, thanks.
I'm hoping this and the above together mean something like:
* trust-management system for downloading rules from a central
server;
> * reactive address blocking (RAB), next generation in-line intrusion
> prevention
If you have to explain the acronym and then never use it again,
don't bother abbreviating it in the first place. "In-line" is
pretty meaningless, and The Next Generation was old hat ten years
ago, so I'd suggest:
* advanced intrusion protection via Reactive Address Blocking;
> * debug mode provided for testing new features and configuration setups
Is this separate from DEVEL_MODE?
> * fast load feature that allows for 1000+ rules to load in under 1 second
Does this mean there's a special "apf --quick-and-dirty-mode" or is
it just saying it's _always_ fast?
(When it talks about "1000+ rules in under 1 second", that just
makes me think (a) "what, I might have to program in _thousands_ of
separate rules?" and (b) "what, they take a whole millisecond each
to load?"... Besides,, I bet my prehistoric 386 laptop would be
slower than that - 4 bogomips, just enough to run Woody...)
> * inbound and outbound network interfaces can be independently configured
This is a repeat of bulletpoint number one. But what if I want to
have a DMZ on a third interface?
> * global tcp/udp port & icmp type filtering with multiple methods of
> executing filters (drop, reject, prohibit)
"Global"? And you don't "execute" a DROP target...
* TCP/UDP port and ICMP type filtering, with drop, reject, and prohibit
modes;
> * configurable policies for each ip on the system with convenience variables
> to import settings
By "ip" it means "(IP) address". And talking in terms of
"variables" seems developer-centric; from the user's point of view,
they aren't variables, they're labels.
* IP address labeling support for convenient handling of separate
policies;
(Doesn't the twice-repeated one about inbound and outbound network
interfaces automatically imply per-interface configurability? These
bulletpoints need to be put in a more coherent order.)
> * packet flow rate limiting that prevents abuse on the most widely abused
> protocol, icmp
* packet flow rate limiting to prevent ICMP abuse
> * prerouting and postrouting rules for optimal network performance
This seems pretty vacuous.
> * dshield.org block list support to ban networks exhibiting suspicious
> activity
* dshield.org block list support, to identify and ban botnets;
> * spamhaus Don't Route Or Peer List support to ban known "hijacked zombie"
> IP blocks
The spamhaus.org DROP list includes netblocks that haven't been
hijacked (they've just been legally purchased by known spammers).
* support for spamhaus.org DROP lists, to identify spammer netblocks;
> * any number of additional interfaces may be configured as firewalled
> (untrusted) or trusted (not firewalled)
Wait, additional to what?
Presumably this is trying to avoid the potential confusion between
- machines that are "not firewalled" in the sense that
they're outside my firewall (so I can't trust them)
and - machines that are "not firewalled" in the sense that I
don't block their packets (because I trust them).
I'd say:
* support for configuring interfaces as "trusted" or "firewalled";
But if this is the same trust system as it was talking about near
the beginning of the list, move it up to there.
> * additional firewalled interfaces can have there own unique firewall
> policies applied
s/there/their/. These last two items are phrased as full sentences,
rather than a noun phrases like most of the rest.
* support for separate policies for each firewalled interface;
And again, reorder the list.
> * intelligent route verification to prevent embarrassing configuration
> errors
This is fine, as long as nobody expects them to be intelligent in
Alan Turing's sense of the word.
> * advanced packet sanity checks to make sure traffic coming and going meets
> the strictest of standards
This seems exaggerated, unless it really does sanity-check the SMTP
packets to make sure my e-mails are correctly spelled... what _does_
it mean? Is it still talking about checking for misconfigured
firewall rules, or what?
> * filter attacks such as fragmented UDP, port zero floods, stuffed routing,
> arp poisoning and more
Now a verb phrase! Standardise on noun phrases.
"Stuffed routing" is an unhelpful jargon term for something that
isn't an attack anyway. And s/arp/ARP/ (I'm getting the distinct
impression this text was composed by someone with sticky hyphen and
shift keys...)
* filtering of attacks such as fragmented UDP, port zero flooding, or
ARP poisoning;
> * configurable type of service options to dictate the priority of different
> types of network traffic
That's a really unclear way of saying
* traffic shaping, assigning higher priority to important traffic;
> * intelligent default settings to meet every day server setups
* default settings well-suited to ordinary server setups;
> * dynamic configuration of your servers local DNS revolvers into the firewall
There are at least two typos here (s/servers/servers'/,
s/revolvers/resolvers/), on top of the unclear phrasing. I think
it's just saying:
* Dynamic DNS support;
> * optional filtering of common p2p applications
s/p2p/P2P/, s/applications/protocols/ (you can filter bittorrent
independent of whether I'm running ktorrent or rtorrent...)
> * optional filtering of private & reserved IP address space
Uh, it filters the address space? No, maybe it means that it allows
firewalling of LANs. Or... maybe not. I don't know.
I think I'd just cut it - there's no shortage of bullet points.
Description: Advanced Policy Firewall
Advanced Policy Firewall (APF) provides an easy-to-use firewall system
for today's Linux servers. Its configuration file is designed to be
informative and easy to follow; day-to-day administration is conducted
via the 'apf' command.
.
Features include:
* default configuration well-suited to ordinary server setups;
* debug mode for testing new features and configuration setups;
* route sanity-checking to prevent embarrassing configuration errors;
* trust-management system for downloading rules from a central server;
* support for configuring interfaces as "trusted" or "firewalled";
* granular inbound and outbound network filtering;
* support for separate policies for each firewalled interface;
* IP address labeling support for convenient handling of separate
policies;
* filtering on the basis of UIDs or applications;
* TCP/UDP port and ICMP type filtering, with drop, reject, and prohibit
modes;
* filtering of attacks such as fragmented UDP, port zero flooding, or
ARP poisoning;
* packet flow rate limiting to prevent ICMP abuse;
* traffic shaping, assigning higher priority to important traffic;
* advanced intrusion protection via Reactive Address Blocking;
* dshield.org block list support, to identify and ban botnets;
* support for spamhaus.org DROP lists, to identify spammer netblocks;
* Dynamic DNS support;
* optional filtering of common P2P protocols.
--
JBR with qualifications in linguistics, experience as a Debian
sysadmin, and probably no clue about this particular package
Reply to: