[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Firewall-troubleshooting

On 3 Jul 2005, Jakub Sporek wrote:
> On Sun, 03 Jul 2005 05:07:02 +0200, Daniel Pittman <daniel@rimspace.net>
> wrote:
>
>> I found that 'firehol' was quite a surprise to me -- not only didn't it
>> suck, it actually improved my hand-written firewall somewhat.
>
>> Unlike everything else, it doesn't tell you to fill in three values in a
>> configuration file and expect to have a full firewall.  All it does is
>> help take the tedious bits out of writing an iptables firewall.
>
> I'd like to know what you think of shorewall? Is it good firewall or  
> should I switch to that firehol you write about? 

I didn't like shorewall when I evaluated it, but not for reasons of
security.

Shorewall, like many firewall packages, gives you[1] a whole bunch of
configuration options, which turn on or off features in the pre-packaged
firewall you have.

This tends to make it hard to do strange things like playing with DSCP
tagging of packets, or deciding to use the 'uid' option to an iptables
rule, or whatever.  The recent ipt_recent protection against SSH, etc,
brute force attacks is a good example of this sort of stuff.

It also tends to encourage "shortcuts" in the firewall, like accepting
any RELATED/ESTABLISHED packets, because each option in the
configuration file is actually an "if" statement around a bit of hand
crafted firewall.[2]

These points may or may not apply to Shorewall - I didn't evaluate down
to that level when I was looking at it, and things may have changed
since.

On the other hand, they do normally make it easier to have a "working"
firewall in less time, and potentially with less understanding[3], than
raw iptables, or firehol, demand.

This doesn't really suit me, because I want to do occasional odd stuff,
and because when I have evaluated the few tools that didn't restrict me
too much I found that the generated firewall wasn't up to scratch.

Shorewall was *NOT* one of the tools that I evaluated to the level of a
generated firewall -- it didn't let me do some of the stuff I was doing
already, so I didn't try it.


Firehol, on the other hand, is a tool that makes it *easier* to write an
iptables firewall by doing all the tedious work for you.  

Instead of writing out a hundred stanzas with a couple of changes, it
lets the computer do all the hard work of turning ten lines into that
hundred.

For example, my current firewall has on the order of eight hundred
individual iptables rules covering traffic through it.  Writing that by
hand would be ... impossible, or pretty close to it.

On the other hand, my firewall also includes a handful of raw iptables
level rules, because there were things that firehol *didn't* support
when I last touched the configuration.

Firehol suits me, personally, because it makes it easy to write a really
good and secure firewall, because it takes the hard work out of
iptables, but it still doesn't get in the way of doing, well, anything I
want.

> I have heared some opinions like "shorewall is bad" so I'm really
> thinking of switching to something else. But I dont't know why...
> noone was able to give me a good reason.

All my reasons are personal taste, basically, and I certainly don't
advise that you change your firewall tool on the basis of my personal
taste. ;)

Also, in general I don't recommend changing *anything* just because
someone else tells you they don't like it -- and if they can't tell you
*why*, it is just that they "don't like it."


However, if you do want to consider another firewall tool, firehol is a
good choice, in my opinion.  OTOH, you may hate it with a passion, since
your style of firewall building may be totally different from mine.

Oh, and if you do use it, *do* use 'firehol try', which is one of the
finest features of the package. :)


Finally, a hint for anyone who read this far:  for most configurations,
the firewall is really quite static.  It doesn't change based on
anything other than you editing a file, and it /is/ pretty slow for a
complex rules file.

So, treat firehol like a compiler:  run it when something changes, and
use iptables-save(8) and friends at boot time to restore the rules.

Viola, the low performance is something that doesn't bother you much of
the time. 

    Daniel


Footnotes: 
[1]  So far as I can tell.  I have not looked in, oh, a year or so, so
     things may be dramatically different these days.

[2]  I don't know if shorewall actually works like this, or more like
     firehol internally, but all the other 

[3]  This is not to say that using Shorewall is a sign that you are a
     bad, or ignorant, administrator, by any stretch of the imagination.

-- 
Our undisciplinables are our proudest product...
Let us hope our output of them will never cease.
        -- William James
Reply to: