Re: some reality about iptables, please

To: Paul Johnson <baloo@ursine.ca>
Cc: Debian-User List <debian-user@lists.debian.org>
Subject: Re: some reality about iptables, please
From: Bret Comstock Waldow <bwaldow@alum.mit.edu>
Date: 27 Aug 2003 11:06:23 -0400
Message-id: <[🔎] 1061996782.937.14.camel@ganesha>
In-reply-to: <[🔎] 20030827111232.GA22538@ursine.ca>
References: <[🔎] 1061946734.3524.23.camel@ganesha> <[🔎] 20030827111232.GA22538@ursine.ca>

On Wed, 2003-08-27 at 07:12, Paul Johnson wrote:
>  -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On Tue, Aug 26, 2003 at 09:12:15PM -0400, Bret Comstock Waldow wrote:
> > # A: I was pretty much hounded into providing it. I do not like it.
> > #    Don't use it. Use /etc/network/interfaces, use /etc/network/*.d/
> > #    scripts use /etc/ppp/ip-*.d/ script. Create your own custom
> > #    init.d script -- no need to even name it iptables.  Use ferm,
> > #    ipmasq, ipmenu, guarddog, firestarter, or one of the many other
> > #    firewall configuration tools available. Do not use the init.d
> > #    script.
> 
> > For crissake!  Can anyone point me at some sensible discussion of how
> > the hell to go about putting firewall rules in place?  I've got a
> > laptop, usually on a cable modem, but sometimes using dial-up.
> 
> Oh, give us a break.  You and the unsubscribers have something in
> common:  You posted the solution to your problem.  Use ferm, ipmasq,
> ipmenu, guarddog, firestarter, or one of the many other firewall
> configuration tools available.  Do not use the init.d script.

But please notice two things:

1) If I use one of those tools, it does something, sets up something. 
What will it do?  It's someone else's canned decisions about how to
implement the choices I select from what it offers.  What do I end up
with?  Are there any holes?  How will I know if other choices I make
open up holes because I don't know how it's all coordinated?

I'm working with a copy of Real World Linux Security, and the fellow
provides a complete firewall for SOHO, and then dissects it to show the
concerns and his choices.  He also links it to adaptive firewall rules
to lock out attackers.

And it's for Redhat, Mandrake, etc.  I have to reconstruct it for Debian
to use it.  So I need to know how to plumb it.

On running it by hand as an experiment, it locks all access - no
browser, mail, etc., so I need to learn more so I can work it all out.

And there isn't a lot of discussion I've found yet about the plumbing of
firewalling.

2) Other people do indeed have answers to the question - and I haven't
seen so much of a discussion of these issues in any of the sources I've
Googled yet.  The Debian Security manual really falls down on this
issue.  The book I'm reading points out that many people make the
mistake of flushing the rules before adding the new ones - the default
policy is ACCEPT.

My upset isn't appropriate here.  I apologize.  I think my questions are
appropriate, though.

And I don't think leaving documentation like the above is very kind or
useful for newbies.  If I'm to figure out how to solve the problem, I
need to know how, and leaving stress-inducing comments like that in
released code is a cop-out.  If it's broke, provide a solution, or at
least a decent discussion of the issues involved, so I can work one out.

Maybe I'll end up figuring one out.

Cheers,
Bret

-- 
bwaldow at alum dot mit dot edu

Reply to:

Follow-Ups:
- Re: some reality about iptables, please
  - From: "Murray J. Brown" <mjb@witstone.com>
- Re: some reality about iptables, please
  - From: Paul Johnson <baloo@ursine.ca>

References:
- some reality about iptables, please
  - From: Bret Comstock Waldow <bwaldow@alum.mit.edu>
- Re: some reality about iptables, please
  - From: Paul Johnson <baloo@ursine.ca>

Prev by Date: Re: OT: Why is C so popular?
Next by Date: PCMCIA please help
Previous by thread: Re: some reality about iptables, please
Next by thread: Re: some reality about iptables, please
Index(es):
- Date
- Thread