discuss: Firewall-HOWTO
Subject:
Re: Firewall-HOWTO
From:
"Rodolfo J. Paiz" ####@####.####
Date:
15 Nov 2003 23:14:35 -0000
Message-Id: <6.0.0.22.0.20031115165727.024c9a98@mail.simpaticus.com>
At 16:38 11/15/2003, rahul wrote:
> > > May I suggest that firewalls become ever more important in today's
> > > Internet, and that this is a document which merits swift and thorough
> > > review/update given its relevance to practically everyone?
>
>rusty rusell wrote a howto on iptables hosted at tldp now. maybe a reference
>to that including netfilter.org docs would be enough. why reinvent the wheel?
Rahul, I appreciate your point of view and I've quickly learned to respect
your opinion, but...
<rant>
There is a world of difference between "reinventing the wheel" and
"standing on the shoulders of giants." Why should every user have to learn
iptables syntax?
First off, a useful firewall is _not_ just iptables. A useful firewall
requires some guidance, eliminating useless services, locking down other
applications, setting up logging, restricting access via ssh and eiminating
insecure methods like rsh, telnet, etc. and probably some additional
applications like portsentry. Setting up a box and setting up iptables will
only provide a false sense of security when some idiot's box is cracked
because they telnetted in and got their password sniffed.
Furthermore, most (>95%) of users don't need to read an entire book on
iptables to set up their home/SOHO/office firewall boxen. This is one of
the MAJOR reasons why more people don't use Linux, IMHO: the need to become
a network/kernel/compilation/whatever engineer and earn three doctorates by
reading 1700 pages worth of documentation. The average user needs a tool
like Shorewall (many others tools too, I'm sure) if they want a 15-minute
setup of their iptables rules, or just to copy six lines straight from a
document at worst.
It's wonderful that iptables is so complex and powerful, but I am (by the
standards of the proletariat) an EXTREMELY technically-skilled user and
even I don't give a rat's behind how to write an iptables rule... I want to
get work done! I did read Ziegler's book from cover to cover when setting
up ipchains and still recall thinking it was a colossal waste of my time to
read 500 pages so I could (a) allow Internet access for my 10 computers
through the firewall and (b) allow SSH, NTP, and HTTP in... clearly a
3-minute task for an expert.
Finding Shorewall when I moved to iptables (and never saw a raw rule again)
was a godsend, and EVERY HUMAN BEING who needs a firewall should be told
that such tools exist and be provided with one. Whoever wants to learn
iptables, can do so... more power to them. I promise you that most of us do
not want to do so, and being forced to do so because the documentation
never taught us the existence of labor-saving software is just a crying shame.
</rant>
In conclusion, I do not believe that pointing users to Rusty's book is a
satisfactory alternative. I believe that we sorely need something written
for mortals, which gives us two or three easy and functional ways to do
things and then points us to more in-depth documentation should we feel the
urge to explore it. Normal people (i.e. non-technical users) don't even
care what OS is _on_ their firewall... they just want it to work well with
a minimum of effort so they can go back to being doctors, or builders, or
software developers, or stay-at-home moms.
I intend to write such documentation, NEVER pretending to offer a thorough
exploration of a topic but rather a concise, practical, step-by-step HOWTO
that works and offers comments on alternatives and options. The user can
then either take my way, or use the "further references" in each section to
explore anything in greater depth or with other tools. But _I_ never want
to have to read 500 pages to set up a firewall again... why should anyone else?
Just had to get that off my chest. <smile>
Cheers,
--
Rodolfo J. Paiz
####@####.####