[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Firewall-troubleshooting

On 4 Jul 2005, Paul Gear wrote:
> Daniel Pittman wrote:
>> ...
>> Shorewall, like many firewall packages, gives you[1] a whole bunch of
>> configuration options, which turn on or off features in the pre-packaged
>> firewall you have.
>>
>> This tends to make it hard to do strange things like playing with DSCP
>> tagging of packets, or deciding to use the 'uid' option to an iptables
>> rule, or whatever.  The recent ipt_recent protection against SSH, etc,
>> brute force attacks is a good example of this sort of stuff.
>>
>> It also tends to encourage "shortcuts" in the firewall, like accepting
>> any RELATED/ESTABLISHED packets,
>
> Am i right in understanding that you consider accepting
> RELATED/ESTABLISHED packets a bad thing?

No.  Accepting *any* RELATED/ESTABLISHED packets is, though, if someone
finds an attack to generate entries in the conntrack table.  Like, say,
the active FTP NAT PORT bug from quite some time ago, which would allow
remote attackers to do just that. :)

Limiting the RELATED/ESTABLISHED packets to what you actually expect
(part of an established connection to a service you actually use) is a
more secure policy.

Obviously, none of this is a *huge* risk, but if it comes for free...

>> ...
>> Shorewall was *NOT* one of the tools that I evaluated to the level of a
>> generated firewall -- it didn't let me do some of the stuff I was doing
>> already, so I didn't try it.
>
> What were the main things you wanted that shorewall didn't do?

At the time, some UID based stuff, as I recall.  This was over a year
ago, though, so things have probably changed (and my memory is a bit
fuzzy).

>> ...
>> Firehol suits me, personally, because it makes it easy to write a really
>> good and secure firewall, because it takes the hard work out of
>> iptables, but it still doesn't get in the way of doing, well, anything I
>> want.
>
> You can integrate arbitrary iptables commands into shorewall also.

Cool.  Either I missed it at the time, or it is a new feature, but it is
nice to see that it is there.

Shorewall /does/ seem like a very sound choice for firewalling, even if
it isn't my cup of tea. :)

>> ...
>>> I have heared some opinions like "shorewall is bad" so I'm really
>>> thinking of switching to something else. But I dont't know why...
>>> noone was able to give me a good reason.
>> ...
>> Also, in general I don't recommend changing *anything* just because
>> someone else tells you they don't like it -- and if they can't tell you
>> *why*, it is just that they "don't like it."
>
> Couldn't agree more.

*nod*  I sure don't think that my personal taste is a strike against
Shorewall.

	Daniel

-- 
Life is about not knowing, having to change, taking the moment and making the
best of it, without knowing what's going to happen next. Delicious ambiguity.
        -- Gilda Radner
Reply to: