[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Create a canned 'Firewall Build' or RFHH

To: jatin.nansi@timesgroup.com, misc@openbsd.org
Subject: Re: Create a canned 'Firewall Build' or RFHH
From: Don Cooley <dcooley@panicdump.org>
Date: Tue, 26 Feb 2002 07:22:07 -0700
References: <3C7ABC9A.C5C085B9@panicdump.org> <200202261314.g1QDESi27367@mayavi.timesgroup.com>

I agree with you 100%.
You are missing my point.
"Canned Firewall" by its very definition means a "pre-existing"
firewall. No one is against a gui interface that might even ask
you intelligent questions on how you want to build your firewall.
But to build something that people just ./build_superduper_firewall.sh
is NOT secure.

Even with a GUI app you would need to understand WHAT you are doing.
Besides, be realistic, Should you be setting up a "non-trivial" firewall
if you don't understand the OS/Firewalling?

Who is more irresponsible? (In terms of security) The person who wants
to build a firewall without knowledge or the one who enables him to do
so?

Also, This is the misc list and is supposed to be here to help newbies...
If a newbie asks "I want to set up a firewall but don't know where to start
can someone help me?" They ALWAYS get help.

This is an annoying/ongoing request for the OpenBSD coders (or someone as
good as them) to build an add on piece of software that allows you to build
a firewall with no real knowledge of what is going on.

I agree with the simplicity factor. But as Theo said "The internet is
complicated", "firewalling is not easy."

Besides OpenBSD is written by BSD coders for themselves. They just happen
to be nice enough to release the code. They don't need a GUI helper to help
them vi /etc/pf.conf and /etc/nat.conf so they probably won't code one.

If you mean something different than "canned firewall" than call it that.

Jatin Nansi wrote:

> On Tuesday 26 February 2002 04:07, Don Cooley wrote:
>
> > Running a firewall without KNOWING what it is doing flies in the face of
> > "security". How can you be "secure" if you have no idea what is going
> > on?
>
> I dont think anyone should configure a firewall without
> knowing what is happening. But if you have an interface
> that makes the task of building and ordering of rules simpler,
> it makes a whale of a difference. The least that it does is that
> it is less error prone, than using vi and writing rules (especially
> since any non trivial firewall wld not be having less than a
> couple of 100 rules).
>
> Jatin

References:
- Re: Create a canned 'Firewall Build' or RFHH
  - From: Don Cooley <dcooley@panicdump.org>
- Re: Create a canned 'Firewall Build' or RFHH
  - From: Jatin Nansi <jatin.nansi@timesgroup.com>

Prev by Date: overall thruput quite bad
Next by Date: Re: -stable usb weirdness
Prev by thread: Re: Create a canned 'Firewall Build' or RFHH
Next by thread: Closing port 25
Index(es):
- Date
- Thread