> > - Presentation. What am I supposed to use to show management what rules
> > we have? Write it out on paper each time? Surely you can't expect an
> > upper-level manager to view ipfwadm source to figure out what the rules
> > are?
>
> Having sold security services as a consultant, my experience has been
> that showing management *anything* this technical tends to result in
> their eyes glazing over. They have NO hope of understanding this stuff
> unless they have more than a passing knowledge of TCP/IP. So I really
> don't see this as any argument.
Well, I think all but the most high level management (and perhaps even
high-level management) would understand something like:
Src IP Dst IP Service Time Host
-----------------------------------------------------------------------
ComanyX WWWHost HTTP Mon-Sun FWHostA
Should be explanatory enough.. That is the type of information I was
looking for.
> This is a huge issue. My approach was to turn each firewall rule into
> a checking rule...but that presents problems as a bug in ipfwadm that
> sets up a rule wrongly could return a check wrongly too...
True, it is a big issue, and only goes to prove how difficult it would be
to train three or four firewall managers to use the program, unless they
had unix/shell knowledge previously.
> On the ICMP issue you mention, ipfwadm and the Linux kernel firewall
> capability would leave ICMP blocked - as the the first matching rule
> in the list is ALWAYS applied to a packet. This is why ordering the
> rules from the least specific to the most is so important in ipfwadm
> firewalls.
That's true, and some of that is basic firewall building skills. Always
put `drop' as the last rule that applies to all src and dst, for example.
> All good points - and they exist in commercial products like
> Watchguard. Having this capability as a standad linux package would be
> great - but I don't see us writing it here at Red Hat in the near
> future.
And I'm sure one of the reasons for that is because it will either have to
be rewritten, or signficantly modified for the next kernel version. There
is also (now) a small market, and many other things to work on. But it is
something that needs to be done before I can look my management in the
face, and claim we can use Linux to replace our firewall..
As well as replacing our web server. You mentioned the apachecfg program
in a previous message. While it is still pretty weak, it shows potential,
but how actively is it being developed? Why not use the one the apache
group is working on, and apply your efforts there?
> Probably the best bet for this would be a linuxconf module for
> establishing, checking and managing/testing an ipfwadm firewall.
Yes, that's true, but are you going to support that? The text-based
interface for linuxconf is ok, but the graphical one is kinda weak, and
the whole thing takes complete control of your system.
Have fun,
Dave
--
PLEASE read the Red Hat FAQ, Tips, Errata and the MAILING LIST ARCHIVES!
http://www.redhat.com/RedHat-FAQ /RedHat-Errata /RedHat-Tips /mailing-lists
To unsubscribe: mail [EMAIL PROTECTED] with
"unsubscribe" as the Subject.
