This is part of The Pile, a partial archive of some open source mailing lists and newsgroups.
To: svlug@svlug.org Date: Tue, 16 Jan 2001 01:05:23 -0800 Subject: Re: [svlug] /etc/hosts.deny & wrappers & xinetd From: Rick Moen <rick@linuxmafia.com> begin Ajay quotation: > And an access control list on a firewall is one way of restricting > access to services, but to my knowledge most people consider firewalls > only a first line of defense.... ^^^^^^^ I believe you misspelled "an additional". In the name of minimising wasted time, when people come at you with opinions and clueless questions about "firewalls", ask them "When you use the term 'firewall' in this context, are you referring to application-level proxy gateways, or do you mean filtering routers. If the latter, is this an implementation with stateful filters, or not?" If, as is usually the case, they have no fscking clue what you've just asked, then they are wasting your time, and you should suggest a reading list before they bother you again. === To: Rick Moen <rick@linuxmafia.com> Subject: Re: [svlug] BAD PASSWORD: it is based on a dictionary word Date: Tue, 16 Jan 2001 01:33:08 -0800 From: J C Lawrence <claw@kanga.nu> On Tue, 16 Jan 2001 00:31:15 -0800 Rick Moen <rick@linuxmafia.com> wrote: > Some sysadmins insist on implementing good administrative > practices on machines they're responsible for, as reflecting on > their professionalism and good name. The definition of practices if of course contextual. At SGI the explicit expectation is that all developer systems will have an open guest account. When I came there and immediately locked down guest (I made the passwd "guest") it was not long before I had a couple comments from odd folks (Dave Olson among others) querying why ("Ahh, you're from outside, that makes sense.") There the expectation was, and remains, that every developer system will have an open guest account (no passwd) so that among other things easy monitoring may be done of what revs of what software are being run on what platforms (most developers keep up with the current beta IRIX release on their dekstops and development boxes), and on odd accassions interesting distributed processing may be done in off hours. Their security model is heavy firewalling, strong invasive and behavioural border traffic analysis (Simon Cooper's work FWIW), and the creation of a wide-open "safespace" within that boundary. === Date: Tue, 16 Jan 2001 11:30:53 -0800 From: Don Marti <dmarti@zgp.org> Subject: Re: [svlug] /etc/hosts.deny & wrappers & xinetd On Tue, Jan 16, 2001 at 01:05:23AM -0800, Rick Moen wrote: > In the name of minimising wasted time, when people come at you with > opinions and clueless questions about "firewalls", ask them "When you > use the term 'firewall' in this context, are you referring to > application-level proxy gateways, or do you mean filtering routers. If > the latter, is this an implementation with stateful filters, or not?" The word "firewall" is now meaningless. Hey, let's start the Canonical List of Things that People Call "Firewalls" I'll list a few, with examples. Dedicated router configured for stateless packet filtering. (many Cisco products) System running a general-purpose OS, with routing enabled, configured for packet filtering, either stateless or stateful (Linux box with ipchains or iptables) Software package for a general-purpose OS that implements packet filtering, either stateless or stateful (Checkpoint Firewall-1) System running one or more application-level proxies. (Linux box with a minimal Postfix configuration fronting for an internal "bells-n-whistles" mail server) Software package that implements content-based filtering for an application-level proxy or other service (Sophos anti-virus plugin for Sendmail Content Management API) (By some definitions, Junkbuster is a firewall.) === Date: Tue, 16 Jan 2001 12:39:41 -0800 To: svlug@svlug.org Subject: Re: [svlug] BAD PASSWORD: it is based on a dictionary word From: Rick Moen <rick@linuxmafia.com> begin Don Marti Uses GIFs on the Sly quotation: > One more thought on the subject of firewalls...nobody has ever > explained to me why, if you don't trust a machine or machines to be on > the Internet, why you don't just put it in private address space with > no NAT or other route out, and use application-level proxies? Setting up an application-level proxy gateway requires time, expertise, money, and CPU power to burn. Whereas pretty much anyone can set up NAT and a few filtering rules (not necessarily safely or correctly), claim to management to have installed a "firewall", and be hero for a day. The latter are being hawked as preconfigured products, in fact. (See: NetMax.) No comprehension required; just add blind faith. === Date: Tue, 16 Jan 2001 15:36:38 -0800 To: svlug@svlug.org Subject: Re: [svlug] BAD PASSWORD: it is based on a dictionary word From: Rick Moen <rick@linuxmafia.com> begin Chris Waters quotation: > Anyway, I have to admit that I couldn't answer Rick's second question > about firewalls. (Is my "firewall" router/masquerader "stateful"?) Stateful filters are ones that evaluate each packet within the context of a network traffic stream (e.g., a TCP connection), rather than attempting to determine their desirability in isolation. E.g., is a SYN response valid or part of a DoS attack? (Yes, we have SYN cookies, but that's missing the point.) Keeping track of packet state requires tracking some stream details such as TCP sequence numbers, and basically maintaining a table of all open connections so that you can match up incoming and outgoing streams -- thus making it possible to meaningfully filter UDP. You also should take into account the effects of IP-packet fragmentation, which usually means reassembling all fragments before letting any through. Implementations differ widely. In the extreme case, such an implementation would verge on becoming an application-level proxy gateway, since it would have to make filtering decisions on the basis of protocols higher up the OSI-model stack. And would necessarily become much more complex. Anyhow, Linux 2.4 / netfilter can support a variety of stateful filters on routing. Linux 2.2 / ipchains cannot. Darren Reed's "IP Filter" kernel add-on for *BSD has provided stateful packet filtering for quite some time. The point was that, unless the person burbling about "firewalls" and making vague claims about them in your face has some notion of these issues (not to mention having something _specific_ in mind when he uses the term), he's wasting his time and yours. There are good books on filtering routers and application-level proxy gateways. People wanting to discuss "firewalls" with any pretense to semantic content need to read them first. ===