Re: [suse-security] TIS FWTK
If you are going to take the time to use the built in firewalling code in linux why would use use a frontend to the program to modify the rules? Ipchains is *easy* to use. -miah On Fri, Dec 08, 2000 at 11:31:44AM -0500, Fred A. Miller wrote:
jjohnson@penguincomputing.com wrote:
TIS FWTK is a complete waste of time.
PMFirewall is VERY easy to use, and so far as I know, works on ALL "flavors" of Linux.
Fred
-- ----/ / _ Fred A. Miller ---/ / (_)__ __ ____ __ Systems Administrator --/ /__/ / _ \/ // /\ \/ / Cornell Univ. Press Services -/____/_/_//_/\_,_/ /_/\_\ fm@cupserv.org
Hi. On Fri, 8 Dec 2000 jjohnson@penguincomputing.com wrote:
If you are going to take the time to use the built in firewalling code in linux why would use use a frontend to the program to modify the rules? Ipchains is *easy* to use.
-miah
Yes, but TIS FWTK (and its commercial successor Gauntlet) and Linux IPFWADM/IPCHAINS/NetFilter are fundamentally different things: FWTK provides proxy servers (nothing passes the firewall without being checked on layer 5/6/7), so you could filter based on content and whatnot (don't know if FWTK itself does that, due to availability of better proxy servers like dnsserver, smtpd, squid etc I didn't bother to look at it in depth) Linux IPFWADM/IPCHAINS/NetFilter is only a packet filter, checking on layer 3/4 (IP/TCP/UDP/ICMP). Add to that that the former two (under Linux 2.0/2.2) only have static checking available, whereas the much better NetFilter code with dynamic (stateful) inspection is not yet ready for prime time, since it's based on a developmental kernel which is not recommendable for something as sensitive as a firewall. Hope that clears up some (mis-)conceptions. Greetings olli
On Fri, Dec 08, 2000 at 11:31:44AM -0500, Fred A. Miller wrote:
jjohnson@penguincomputing.com wrote:
TIS FWTK is a complete waste of time.
PMFirewall is VERY easy to use, and so far as I know, works on ALL "flavors" of Linux.
Fred
-- ----/ / _ Fred A. Miller ---/ / (_)__ __ ____ __ Systems Administrator --/ /__/ / _ \/ // /\ \/ / Cornell Univ. Press Services -/____/_/_//_/\_,_/ /_/\_\ fm@cupserv.org
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
--
--------------------------------------
Oliver Hensel
And if you read the list, you will realize that I was referencing PMfirewall. Which is a frontend to ipchains. Thanks -miah On Sat, Dec 09, 2000 at 12:07:25AM +0100, Oliver Hensel wrote:
Hi.
On Fri, 8 Dec 2000 jjohnson@penguincomputing.com wrote:
If you are going to take the time to use the built in firewalling code in linux why would use use a frontend to the program to modify the rules? Ipchains is *easy* to use.
-miah
Yes, but TIS FWTK (and its commercial successor Gauntlet) and Linux IPFWADM/IPCHAINS/NetFilter are fundamentally different things:
FWTK provides proxy servers (nothing passes the firewall without being checked on layer 5/6/7), so you could filter based on content and whatnot (don't know if FWTK itself does that, due to availability of better proxy servers like dnsserver, smtpd, squid etc I didn't bother to look at it in depth)
Linux IPFWADM/IPCHAINS/NetFilter is only a packet filter, checking on layer 3/4 (IP/TCP/UDP/ICMP). Add to that that the former two (under Linux 2.0/2.2) only have static checking available, whereas the much better NetFilter code with dynamic (stateful) inspection is not yet ready for prime time, since it's based on a developmental kernel which is not recommendable for something as sensitive as a firewall.
Hope that clears up some (mis-)conceptions.
Greetings olli
On Fri, Dec 08, 2000 at 11:31:44AM -0500, Fred A. Miller wrote:
jjohnson@penguincomputing.com wrote:
TIS FWTK is a complete waste of time.
PMFirewall is VERY easy to use, and so far as I know, works on ALL "flavors" of Linux.
Fred
-- ----/ / _ Fred A. Miller ---/ / (_)__ __ ____ __ Systems Administrator --/ /__/ / _ \/ // /\ \/ / Cornell Univ. Press Services -/____/_/_//_/\_,_/ /_/\_\ fm@cupserv.org
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
-- -------------------------------------- Oliver Hensel
http://www.ohensel.de/ Training + Consulting Unix - Linux - Firewalls - Security --------------------------------------
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Hi On Fri, 8 Dec 2000 jjohnson@penguincomputing.com wrote:
And if you read the list, you will realize that I was referencing PMfirewall. Which is a frontend to ipchains.
True, but IPCHAINS it is *not* (just like PMfirewall, SINUS, gfcc, and all those other front ends) an alternative to FWTK or any other proxy-based and/or stateful firewall. IPCHAINS can perfectly act as part of a complete firewall solution, but many other routers (every "enterprise" strength router) has a built-in packetfilter with much higher performance and more reliability (no moving parts!). My posting was not only directed at your suggestion, in fact I agree with you pretty much. I just wanted to point out that IPCHAINS has not at all the functionality you get from proxy servers. Greetings olli
Thanks -miah
On Sat, Dec 09, 2000 at 12:07:25AM +0100, Oliver Hensel wrote:
Hi.
On Fri, 8 Dec 2000 jjohnson@penguincomputing.com wrote:
If you are going to take the time to use the built in firewalling code in linux why would use use a frontend to the program to modify the rules? Ipchains is *easy* to use.
-miah
Yes, but TIS FWTK (and its commercial successor Gauntlet) and Linux IPFWADM/IPCHAINS/NetFilter are fundamentally different things:
FWTK provides proxy servers (nothing passes the firewall without being checked on layer 5/6/7), so you could filter based on content and whatnot (don't know if FWTK itself does that, due to availability of better proxy servers like dnsserver, smtpd, squid etc I didn't bother to look at it in depth)
Linux IPFWADM/IPCHAINS/NetFilter is only a packet filter, checking on layer 3/4 (IP/TCP/UDP/ICMP). Add to that that the former two (under Linux 2.0/2.2) only have static checking available, whereas the much better NetFilter code with dynamic (stateful) inspection is not yet ready for prime time, since it's based on a developmental kernel which is not recommendable for something as sensitive as a firewall.
Hope that clears up some (mis-)conceptions.
Greetings olli
On Fri, Dec 08, 2000 at 11:31:44AM -0500, Fred A. Miller wrote:
jjohnson@penguincomputing.com wrote:
TIS FWTK is a complete waste of time.
PMFirewall is VERY easy to use, and so far as I know, works on ALL "flavors" of Linux.
Fred
-- ----/ / _ Fred A. Miller ---/ / (_)__ __ ____ __ Systems Administrator --/ /__/ / _ \/ // /\ \/ / Cornell Univ. Press Services -/____/_/_//_/\_,_/ /_/\_\ fm@cupserv.org
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
-- -------------------------------------- Oliver Hensel
http://www.ohensel.de/ Training + Consulting Unix - Linux - Firewalls - Security --------------------------------------
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
--
--------------------------------------
Oliver Hensel
You fail to see my point. PMfirewall is just a gui frontend to ipchains. And to get the terminology straight. - see http://freshmeat.net/projects/pmfirewall/?highlight=pmfirewall " PMFirewall is an Ipchains Firewall and Masquerading Configuration Utility for Linux. It is designed to allow a beginner to build a custom firewall with little or no ipchains experience. This firewall should work for most Workstations, Servers, and Dual NIC routers using either a dialup, DSL, Cable, or LAN setup. It is restrictive to outside attacks while still being as transparent as possible to those inside. " bleh -miah On Sat, Dec 09, 2000 at 12:48:59AM +0100, Oliver Hensel wrote:
Hi
On Fri, 8 Dec 2000 jjohnson@penguincomputing.com wrote:
And if you read the list, you will realize that I was referencing PMfirewall. Which is a frontend to ipchains.
True, but IPCHAINS it is *not* (just like PMfirewall, SINUS, gfcc, and all those other front ends) an alternative to FWTK or any other proxy-based and/or stateful firewall. IPCHAINS can perfectly act as part of a complete firewall solution, but many other routers (every "enterprise" strength router) has a built-in packetfilter with much higher performance and more reliability (no moving parts!).
My posting was not only directed at your suggestion, in fact I agree with you pretty much. I just wanted to point out that IPCHAINS has not at all the functionality you get from proxy servers.
Greetings olli
Thanks -miah
On Sat, Dec 09, 2000 at 12:07:25AM +0100, Oliver Hensel wrote:
Hi.
On Fri, 8 Dec 2000 jjohnson@penguincomputing.com wrote:
If you are going to take the time to use the built in firewalling code in linux why would use use a frontend to the program to modify the rules? Ipchains is *easy* to use.
-miah
Yes, but TIS FWTK (and its commercial successor Gauntlet) and Linux IPFWADM/IPCHAINS/NetFilter are fundamentally different things:
FWTK provides proxy servers (nothing passes the firewall without being checked on layer 5/6/7), so you could filter based on content and whatnot (don't know if FWTK itself does that, due to availability of better proxy servers like dnsserver, smtpd, squid etc I didn't bother to look at it in depth)
Linux IPFWADM/IPCHAINS/NetFilter is only a packet filter, checking on layer 3/4 (IP/TCP/UDP/ICMP). Add to that that the former two (under Linux 2.0/2.2) only have static checking available, whereas the much better NetFilter code with dynamic (stateful) inspection is not yet ready for prime time, since it's based on a developmental kernel which is not recommendable for something as sensitive as a firewall.
Hope that clears up some (mis-)conceptions.
Greetings olli
On Fri, Dec 08, 2000 at 11:31:44AM -0500, Fred A. Miller wrote:
jjohnson@penguincomputing.com wrote:
TIS FWTK is a complete waste of time.
PMFirewall is VERY easy to use, and so far as I know, works on ALL "flavors" of Linux.
Fred
-- ----/ / _ Fred A. Miller ---/ / (_)__ __ ____ __ Systems Administrator --/ /__/ / _ \/ // /\ \/ / Cornell Univ. Press Services -/____/_/_//_/\_,_/ /_/\_\ fm@cupserv.org
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
-- -------------------------------------- Oliver Hensel
http://www.ohensel.de/ Training + Consulting Unix - Linux - Firewalls - Security --------------------------------------
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
-- -------------------------------------- Oliver Hensel
http://www.ohensel.de/ Training + Consulting Unix - Linux - Firewalls - Security --------------------------------------
On Fri, 8 Dec 2000 jjohnson@penguincomputing.com wrote:
You fail to see my point.
No, you do :-) let's talk about different things forth and back. I know what you mean, I don't like graphical frontends for ipchains myself. Greetings olli
PMfirewall is just a gui frontend to ipchains. And to get the terminology straight. - see http://freshmeat.net/projects/pmfirewall/?highlight=pmfirewall
" PMFirewall is an Ipchains Firewall and Masquerading Configuration Utility for Linux. It is designed to allow a beginner to build a custom firewall with little or no ipchains experience. This firewall should work for most Workstations, Servers, and Dual NIC routers using either a dialup, DSL, Cable, or LAN setup. It is restrictive to outside attacks while still being as transparent as possible to those inside. "
bleh
-miah
On Sat, Dec 09, 2000 at 12:48:59AM +0100, Oliver Hensel wrote:
Hi
On Fri, 8 Dec 2000 jjohnson@penguincomputing.com wrote:
And if you read the list, you will realize that I was referencing PMfirewall. Which is a frontend to ipchains.
True, but IPCHAINS it is *not* (just like PMfirewall, SINUS, gfcc, and all those other front ends) an alternative to FWTK or any other proxy-based and/or stateful firewall. IPCHAINS can perfectly act as part of a complete firewall solution, but many other routers (every "enterprise" strength router) has a built-in packetfilter with much higher performance and more reliability (no moving parts!).
My posting was not only directed at your suggestion, in fact I agree with you pretty much. I just wanted to point out that IPCHAINS has not at all the functionality you get from proxy servers.
Greetings olli
Thanks -miah
On Sat, Dec 09, 2000 at 12:07:25AM +0100, Oliver Hensel wrote:
Hi.
On Fri, 8 Dec 2000 jjohnson@penguincomputing.com wrote:
If you are going to take the time to use the built in firewalling code in linux why would use use a frontend to the program to modify the rules? Ipchains is *easy* to use.
-miah
Yes, but TIS FWTK (and its commercial successor Gauntlet) and Linux IPFWADM/IPCHAINS/NetFilter are fundamentally different things:
FWTK provides proxy servers (nothing passes the firewall without being checked on layer 5/6/7), so you could filter based on content and whatnot (don't know if FWTK itself does that, due to availability of better proxy servers like dnsserver, smtpd, squid etc I didn't bother to look at it in depth)
Linux IPFWADM/IPCHAINS/NetFilter is only a packet filter, checking on layer 3/4 (IP/TCP/UDP/ICMP). Add to that that the former two (under Linux 2.0/2.2) only have static checking available, whereas the much better NetFilter code with dynamic (stateful) inspection is not yet ready for prime time, since it's based on a developmental kernel which is not recommendable for something as sensitive as a firewall.
Hope that clears up some (mis-)conceptions.
Greetings olli
On Fri, Dec 08, 2000 at 11:31:44AM -0500, Fred A. Miller wrote:
jjohnson@penguincomputing.com wrote: > > TIS FWTK is a complete waste of time.
PMFirewall is VERY easy to use, and so far as I know, works on ALL "flavors" of Linux.
Fred
-- ----/ / _ Fred A. Miller ---/ / (_)__ __ ____ __ Systems Administrator --/ /__/ / _ \/ // /\ \/ / Cornell Univ. Press Services -/____/_/_//_/\_,_/ /_/\_\ fm@cupserv.org
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
-- -------------------------------------- Oliver Hensel
http://www.ohensel.de/ Training + Consulting Unix - Linux - Firewalls - Security --------------------------------------
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
-- -------------------------------------- Oliver Hensel
http://www.ohensel.de/ Training + Consulting Unix - Linux - Firewalls - Security --------------------------------------
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
--
--------------------------------------
Oliver Hensel
Hi, -- snip -- snip --
If you are going to take the time to use the built in firewalling code in linux why would use use a frontend to the program to modify the rules? Ipchains is *easy* to use. Yes, but TIS FWTK (and its commercial successor Gauntlet) and Linux IPFWADM/IPCHAINS/NetFilter are fundamentally different things:
Scary how a large part of the suse security list seems to be in charge of organization security without being able to see the fundamental difference between packet filtering and proxying; even after clear explanation. Another silly issue on this list was the tamper-ability of MD5 hash values (nothing wrong with the question as such though) and it's required replacement for intrusion detection. Until finally somebody pointed out where the real vulnerabilty was: just forge the report. I was just wondering why the focus of this list is so much on "code" and so little on how to use it for a specific organization. Most unix hosts that have a reasonable administrator are most likely more secure against DOS than the telco. router that connects them to the WEB. Most sucurity incidents are from within organizations. Most logs are never looked at and incidents seldom reported. A short and simple password is still better than one under the keyboard. Locking the car is little use if you leave the camera in plain sight :) Also there's nothing wrong in discussing interface add-ons for ipchans etc. But sometimes the discussion misses that such things can only improve your understanding or help you use your time efficiently. They inherently do nothing else to improve security. I personally prefer tools that help visualize the result of complex configurations and logs instead of separating me from the real issue at hand. Generally speaking, there is a shortcoming to easy to use systems. They inherently hide some of the complexity you actually should be facing. Also simple external interface (or extreme flexibilty requirements) usually imply high internal complexity. And that of course provides more places where things could fail. If you want security, go for simplicity. And yes the FWTK is lovely simple (winthin it's context). One final remark. Moderation is a good thing, but please don't just do it to ban things. A simple classification with some tags like [basic] [home networks] [small organization] [large organization] [theory] [usage] or something like it would be of much more added value. With that I can play with some easy questions if I'm realy bored and tired :) Oh, I do consider a question of somebody who want's to protect 'pictures' reasonable. Peter
On Sat, Dec 09, 2000 at 11:20 +0100, Peter van den Heuvel wrote:
One final remark. Moderation is a good thing, but please don't just do it to ban things. A simple classification with some tags like [basic] [home networks] [small organization] [large organization] [theory] [usage] or something like it would be of much more added value.
NO, PLEASE DON'T! Sorry to shout out this loud, but I really feel strong about this. The "[suse-security]" subject mangling is already bad enough when your message (it's just what I had a look at right now) has 9 - in words: nine - hooks to recognize it's a suse-security article. Go visit the archive and see how easily this one is broken and doubled, tripled, ... (the catchword is RFC2047, I guess -- or better put ignoring it). I consider this bloat and harmful since it only eats up space for no added information -- in the opposite it even *hides* the really important part: look at your mail folder with all the [suse-security] SuSE Security Announcement: $PACKAGE messages in it. You still have to open them all to learn what they are about, since the actual info starts at character position 45 and way off screen. :( And now imagine you get them via -announce ... I really *hate* this mangling and understand it's just done to hold the hands of the poorly equipped in terms of functional mail handling software. I consider it a dumb down approach. Let the subscribers be free to categorize and mangle the messages by themselves, but don't cripple the messages for those who want to get them the way they're written! Crippling things and have the users decripple it back is not what I would call efficient, either. As for the categories: Who should tack them on the message? And how long do they fit the message content? (Think of how long "long message" or "Question" suits, for instance. That's why they are misplaced in a subject and belong in the message's top at maximum.) A subject simply describing what the message is about would suffice - and is what the subject is meant for at first. Email might be an old mechanism in comparison to other computer stuff, but it definitely has the mechanisms for being efficient. If people only would demand more functional software than just good looking or "easy to use" (how long? especially after learning and growing) one. And if only they would use given and existing mechanisms instead of pushing things to where they don't work any longer. virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you.
On Sat, 9 Dec 2000, Gerhard Sittig wrote:
this. The "[suse-security]" subject mangling is already bad
What about just an option for the mailing list subscriber to set or unset the "[suse-security]" tag?! Peter -- Peter Münster GMV - Université de Rennes 1 Campus de Beaulieu - Bât. 11B 35042 Rennes Cedex Tel : +33/0 - 2 99 28 67 51 Fax : +33/0 - 2 99 28 16 74 http://w3pm.stormloader.com/
On Sun, Dec 10, 2000 at 18:07 +0100, Peter Münster wrote:
On Sat, 9 Dec 2000, Gerhard Sittig wrote:
this. The "[suse-security]" subject mangling is already bad
What about just an option for the mailing list subscriber to set or unset the "[suse-security]" tag?!
I consider this undoable. The list owner had to split every list into two, one with the mangling and one without it. And subscribers would have the chance to choose which one they want to receive. No sane admin would like to go that route, I guess. It could all be as simple as "Don't fiddle with user supplied or user owned fields" -- is anyone to remember the former Reply-To: accidents? But that would be too easy, it seems. virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you.
From: "Peter van den Heuvel"
Another silly issue on this list was the tamper-ability of MD5 hash values (nothing wrong with the question as such though) and it's required replacement for intrusion detection. Until finally somebody pointed out where the real vulnerabilty was: just forge the report. I was just wondering why the focus of this list is so much on "code" and so little on how to use it for a specific organization. Most unix hosts that have a reasonable administrator are most likely more secure against DOS than the telco. router that connects them to the WEB. Most sucurity
Pbbbbbbth. Lemme put it this way: Friend of mine was auditing a major telco, as he put it: "worst case scenario, I'd have to just start hammering on their suns if I'm desperate to get in". Well it took him about two weeks but he got their main database servers (work orders, customer records, CC's, etc). He also felt they had pretty good security. Of all the "legit" penetration teams/people I know no-one has ever failed to get in. As for MD5 it's like a lot of crypto problems, in theory right now. But in theory DES would take FOREVER to crack, well until the EFF built deep crack on a shoestring budget...... Same story with MD5. Why use it when you have SHA1. Tripwire/et all moved to SHA1.
Also there's nothing wrong in discussing interface add-ons for ipchans etc. But sometimes the discussion misses that such things can only improve your understanding or help you use your time efficiently. They inherently do nothing else to improve security. I personally prefer tools that help visualize the result of complex configurations and logs instead of separating me from the real issue at hand.
IPCHAINS sucks. it's not stateful. Try doing proper firewalling for DNS/FTP.
One final remark. Moderation is a good thing, but please don't just do it to ban things. A simple classification with some tags like [basic] [home networks] [small organization] [large organization] [theory] [usage] or something like it would be of much more added value. With that I can play with some easy questions if I'm realy bored and tired :) Oh, I do consider a question of somebody who want's to protect 'pictures' reasonable.
And you expect people to use the classification system properly/etc? Hah.
Peter
Kurt Seifried, seifried@securityportal.com SecurityPortal - your focal point for security on the 'net
participants (6)
-
Gerhard Sittig
-
jjohnson@penguincomputing.com
-
Kurt Seifried
-
Oliver Hensel
-
Peter Münster
-
Peter van den Heuvel