[sf-lug] interlopers continued

John Reilly jr at inconspicuous.org
Sat Jul 21 20:02:52 PDT 2007 

Rick Moen wrote:
>> You could make up your own ruleset in iptables, and I definitely 
>> recommend it for learning, but for completeness and ease of use you 
>> could use a number of packages that are available.  Personally I like 
>> shorewall ( although its probably not the easiest to use at first).
>>     
>
> BTW, next issue of _Linux Gazette_, due out on August 1st, will include
> a lengthy article about setting up a home server, including Shorewall 
> configuration.  I know this because I just copy-edited it.  ;->
>
> A "first line of defence" is not what I'd call IP/port filtering.  More
> like "Compulsive gadget-freakery by people who can't be bothered to 
> address their real vulnerabilities at their source, but rather prefer to
> try to paper those over at the network or host border."
>   
Doctors differ and patients die!
> About one time in a million, I find someone who actually bothers to
> write such filters based on a proper security policy that rationally
> considers threat models.  The rest of the time, it's just a case of
> blindly trying to deal blanket-fashion with software security problems
> by adding more layers of software -- which, as anyone who's read
> Cheswick and Bellovin's book will tell you, is the exact opposite of the
> right approach.
>
> If you disagree, let's discuss the specific example of my server,
> linuxmafia.com ....

Yes, I've read the wily hacker (years ago) and I agree that software 
should be written & configured so that it is secure.  A filtering 
firewall just gives you an extra line of defense.  I like to have both - 
defense in depth.  You obviously don't.  Its up to each person to decide 
whats right for their systems. 

> So, please tell me what I would gain by adding something to the iptables
> ruleset, that doesn't lose more by the inherent reduction in system
> transparency caused by more-complex operation, and by running the risk of
> interfering in legitimate usage.  I'm interested in hearing what you 
> think would be an improvement.
>   
I'm not going to tell you how to run your system, since you obviously 
know how, but not everyone's system is the same.  Many people can 
benefit from filtering.  Its obviously not for you - great!

More information about the sf-lug mailing list