[sf-lug] Cheswick and Bellovin's book
rick at linuxmafia.com
Thu Aug 16 16:11:48 PDT 2007
Quoting Alex Kleider (a_kleider at yahoo.com):
> Cheswick and Bellovin's book
> On Rick's recommendation I ordered, have received and am more than
> 1/3rd through the book although it's getting more difficult to follow
> the more I get into it.
> Rick, perhaps you'd be willing to comment on something that puzzles me:
> They seem to use the term "gateway" in a sense different than I have
> understood it.
Um, as mentioned, I don't _own_ the second edition (the one you bought),
only the first edition.
I'm also far from home, at the moment, so I cannot consult my paper
copy. Fortunately, there _is_ the online text of the first edition.
> I thought it meant a machine that had at least two
> interfaces, and connected networks. They have single interface hosts
> serving as gateways in many of their topology diagrams.
> They use the definition: ".. provides relay services to compensate for
> the effects of the filter."
> Can you suggest a source that might clarify this for me a little?
> (I enjoy their no nonsense but still good natured writing style.)
Well, it might have helped if you'd either quoted the surrounding
context or _at least_ told me where to look, in the book in question.
/me attempts to look in the first-edition text.
Argh! PDF. *grumble*
In the first-edition text, which one would logically expect your
second-edition text to follow pretty closely, section II, "Build Your
Own Firewall", commences with chapter 3, "Firewall Gateways". This is a
different sense of the term "gateway" from what you refer to. The
latter, _your_ familiar sense of the term, is what /sbin/route uses, and
is merely a synonym for "default route":
$ /sbin/route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
22.214.171.124 0.0.0.0 255.255.255.248 U 0 0 0 eth1
0.0.0.0 126.96.36.199 0.0.0.0 UG 0 0 0 eth1
In the specific context of Cheswick and Bellovin's book on Unix
firewalls, they carefully distinguish between two types of "firewalls":
1. Sets of IP/port filter rules.
2. Application-level proxies.
The latter is also, synonymously, referred to as an "application-level
Sense #1 is what almost all Linux users think is the only thing that
"firewall" can ever mean, because they've never heard of
application-level proxy gateways, and, frankly, haven't a clue about
security at all.
The classic commodity application-level proxy design on
Unix/Linux/whatever is called "SOCKS". You can read about it, as an
illustrative example of the concept, here:
Because I _do_ know the difference between the above-described vastly
different sorts of things, you will seldom find me referring to IP/port
filtering rulesets as "firewalls". Instead, I called them -- ta-da! --
IP/port filtering rulesets.
More information about the sf-lug