[nzlug] Firewall ruleset check...
Cliff Pratt
enkidu at cliffp.com
Wed May 14 23:02:14 NZST 2008
Steve Holdoway wrote:
> On Wed, 14 May 2008 19:05:26 +1200 Cliff Pratt <enkidu at cliffp.com>
> wrote:
>> Why re-invent the wheel when you can use someone else's expertise.
>
> <hobbyhorse> Because if you actually understand what you're doing,
> then you'll do a better job. I doubt that the iptables developers
> were intending to make their solution as difficult as possible to
> understand - I suggest that it was the exact opposite, and their
> solution is as simple as it could possibly be.
>
> These gui tools won't provide the flexibility of the underlying
> product, and relying on them can foster a lack of understanding of
> the problem and the tools available to solve it.
>
However, not understanding them properly can lead to mistakes that can
be fatal. I've used raw iptables (and ipfw for that matter) and I know
that Thomas Eastep knows far more than me and I'm willing to let him do
the hard stuff, while I do the bits around the outside. Shorewall, which
is the one that I favoured when I used them, merely generates the
tables. I'd rather not have to learn about bogons and martians when all
I want to do is NAT some traffic to a particular machine. I believe that
my hand crafted firewall would not be anywhere close to what Thomas
can generate for me.
But the tables are there after Shorewall has done its job, and I'd be
really surprised if any who has used Shorewall has *not* looked at what
Shorewall has created.
>
> I'm a fanatic believer in KISS, but in order to implement that
> approach, it's imperative that you have a good understanding of the
> technology involved. I do not equate the availability of a gui tool
> with that knowledge.
>
It needs to be good, yes, but none of us have time to be perfect at
everything. If I was a security expert only, then I'd build firewalls
myself and be sure that I'd clobbered the bogons and martians, but I
have to do six hundred other things by coffee time, so I use Shorewall.
>
> It's like the age old ( well in *nix terms ) question... what's the
> best programming language? C. Why? Because you can do anything with
> it. OK then, what's the worst programming language? C. Why? Because
> you can do anything with it. </hobbyhorse>
>
> So I say, keep on with your current approach, make loads of mistakes,
> understand what you did wrong, get it fixed, and only *then* use the
> shortcuts that make life much easier.
>
Mistakes is fine, but in security you cannot afford to make mistakes.
Thomas is far less likely to make security mistakes than I am. I'd
rather learn from him rather than make mistakes trying to emulate him.
>
> Sorry, but after pushing 25 years of looking after computers, I see
> the same basic mistakes made time and time again, and usually because
> corners have been cut in this way. I'm sure you've seen the same,
> being at least as old as me!
>
> IMO, the hard yards need to be travelled (:
>
Yes, I agree with this. The true skill is choosing which corners to cut
and which corners to square off!
Speaking of security I once wrote some code to subvert the mainframe
security system 'acf2'. It was trivial really, since in MVS it was easy
to acquire system level rights if you knew how. There's a clue as to how
old I am!!
Cheers,
Cliff
Cheers,
Cliff
More information about the NZLUG
mailing list