Re: Debian as My home firewall/router

[Renaud (Ron) OLGIATI <renaud@olgiati-in-paraguay.org>]

Having posted Roco's comments on an IPCop list, I got these comments
 
Cheers,
 
Ron.
-- 
              One disk to rule them all, One disk to find them.
          One disk to bring them all and in the darkness grind them.
                In the Land of Redmond where the shadows lie.
                                         -- The Silicon Valley Tarot
                                    
                   -- http://www.olgiati-in-paraguay.org --
 

Hi Ron,

On Sun, 28 Feb 2016, Renaud (Ron) OLGIATI wrote:

> Would any IPCop guru care to comment ?  

I wouldn't call myself an IPCop guru, but (as you know) I've been using
it a while and occasionally I modify it and build my own versions of it.
I've sometimes had ten or a dozen IPCop firewalls active at once, but I
only run three or four at the moment.  They've all been installed more
than a decade.  Despite a large number of attacks, none has failed me.
I run one Smoothwall box, and I can say the same about it as about IPCop.
I'm not saying there's nothing better, but I'm not feeling the need to
rush out and find something better.

> Reco <.....@gmail.com> wrote:  

Well I guess you didn't mean me to comment on this, but my business
doesn't accept mail from gmail accounts.

>> 1) No meaningful DNSSEC capability.  

Neither, to my knowledge, has any UK bank, and none of my customers
has ever heard of it except from me.  My customers think that if my
tiny business uses DNSSEC but their bank doesn't, then I must crazy.
(And one of my major suppliers has *two* SPF records, but I digress.)

There's no need for IPCop to do much more than route DNSSEC packets.
All my nameservers run DNSSEC and two of them are behind IPCop firewalls.
See also my reply to Reco's 4) below.

>> 2) Presence of libfontconfig.so *and* fonts for no good reason.  

I'm sure that there are bigger nits to pick than this one.

>> 3) Bunch of questionable quality root-owner SUID binaries in
>>  /usr/local/bin, intended to be called from Web-interface.  

To something as nebulous as this I can make no useful reply except
that (a) I very rarely use the IPCop Web interface, and (b) on my
IPCop boxes, nobody else on the planet ever uses the Web interface
(nor a shell).

>> 4) Lack of any pre-installed IDS.  

I think Reco's 2) above was intended to imply that features == security holes
and I would agree with that; so this seems like schizophrenia.

>> 5) Outdated kernel 3.4, configured *without* SELinux, Apparmor or tomoyo support.  

I'm still using kernel 2.4.36 without all that, and I'm quite
comfortable with things as they are.  I like to avoid the latest
and greatest (especially Debian latest and greatest, vide infra).

>> ... suggesting putting *this* to serve as a firewall from an Internet is a joke.  

Perhaps Reco will tell us how many IPCop boxes he's compromised, or
he's seen compromised, or heard rumours might have been compromised.

And given Reco's tone, I also wonder if he can remember this:

https://www.schneier.com/blog/archives/2008/05/random_number_b.html

after which I found several of my own Debian-generated private keys
published on the Internet.  Thankfully I was pro-active enough not
to suffer any compromise as a result, but it didn't have to be so.

David Christensen wrote:

> ... IPCop-specific issues raised on the debian-user mailing list.
> They would be most properly addressed on that list ...  

Perhaps, but I unsubscribed from all the Debian mailing lists except
security announcements years ago, as I found them extremely tedious
and riddled with spammers.  I run dozens of Debian boxes and one of
them is a mailserver which sports my own firewall rules.  However I
wouldn't dream of using Debian as a general purpose firewall/router.

-- 

73,
Ged.