[sf-lug] Cheswick and Bellovin's book

Rick Moen rick at linuxmafia.com
Thu Aug 16 16:11:48 PDT 2007

Quoting Alex Kleider (a_kleider at yahoo.com):

>  Cheswick and Bellovin's book 
> On Rick's recommendation I ordered, have received and am more than
> 1/3rd through the book although it's getting more difficult to follow
> the more I get into it.
> Rick, perhaps you'd be willing to comment on something that puzzles me:
> They seem to use the term "gateway" in a sense different than I have
> understood it.

Um, as mentioned, I don't _own_ the second edition (the one you bought),
only the first edition.

I'm also far from home, at the moment, so I cannot consult my paper
copy.  Fortunately, there _is_ the online text of the first edition.

> I thought it meant a machine that had at least two
> interfaces, and connected networks. They have single interface hosts
> serving as gateways in many of their topology diagrams.
> They use the definition: ".. provides relay services to compensate for
> the effects of the filter."
> Can you suggest a source that might clarify this for me a little?
> (I enjoy their no nonsense but still good natured writing style.)

Well, it might have helped if you'd either quoted the surrounding
context or _at least_ told me where to look, in the book in question.

/me attempts to look in the first-edition text.
Argh!  PDF.  *grumble*

In the first-edition text, which one would logically expect your
second-edition text to follow pretty closely, section II, "Build Your
Own Firewall", commences with chapter 3, "Firewall Gateways".  This is a 
different sense of the term "gateway" from what you refer to.  The 
latter, _your_ familiar sense of the term, is what /sbin/route uses, and
is merely a synonym for "default route":

$ /sbin/route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface U     0      0        0 eth1         UG    0      0        0 eth1

In the specific context of Cheswick and Bellovin's book on Unix
firewalls, they carefully distinguish between two types of "firewalls":

1.  Sets of IP/port filter rules.
2.  Application-level proxies.

The latter is also, synonymously, referred to as an "application-level

Sense #1 is what almost all Linux users think is the only thing that 
"firewall" can ever mean, because they've never heard of
application-level proxy gateways, and, frankly, haven't a clue about
security at all.

The classic commodity application-level proxy design on
Unix/Linux/whatever is called "SOCKS".  You can read about it, as an
illustrative example of the concept, here:

Because I _do_ know the difference between the above-described vastly
different sorts of things, you will seldom find me referring to IP/port
filtering rulesets as "firewalls".  Instead, I called them -- ta-da! --
IP/port filtering rulesets.

More information about the sf-lug mailing list