Shorewall announce - Apr 2002 - Parameterized Samples Withdrawn

Although the parameterized samples have allowed people to get a firewall
up and running quickly, they have unfortunately set the wrong level of
expectation among those who have used them. I am therefore withdrawing
support for the samples and I am recommending that they not be used in new
Shorewall installations.

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

On Mon, 8 Apr 2002 12:47:50 -0700 (Pacific Daylight Time)
Tom Eastep <teastep@shorewall.net> wrote:
> Although the parameterized samples have allowed people to get a firewall
> up and running quickly, they have unfortunately set the wrong level of
> expectation among those who have used them. I am therefore withdrawing
> support for the samples and I am recommending that they not be used in
> new Shorewall installations.
> Tom Eastep    \ Shorewall - iptables made easy
But aren''t they what make it specially easy?

Could you indicate what specific problems there have been? (I''ve just
used
one in today''s installation, am I vulnerable?).

There''s a strong case for a single user sample, simply because single
users (like me) not only haven''t mastered iptables, but also can become
confused by the excellent but large amount of information provided for
knowledgeable people with more complex setups, and often don''t know
what
strategy to adopt, and what the implication of some of the terminology
are.

Single, inexpert, directly connected, users basically need an easily
installable firewall that allows them to perform all the basic outgoing
functions (i.e. allow responses to everything they have initiated), allows
in stuff from their UBR, DNS server, DHCP server, and the cable modem, and
prohibit everything else.  That sounds to a newbie like me like a
candidate for a standard setup sample.

- Richard.
-- 
Richard Kimber
Political Science Resources        http://www.psr.keele.ac.uk/

UK-Euro FAQ          http://www.psr.keele.ac.uk/docs/efaq.htm

--=-TrfCsVshau2qpgHlXwMC
Content-Type: multipart/alternative; boundary="=-MMTADKjImPtnd7q7TKM+"


--=-MMTADKjImPtnd7q7TKM+
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

Hi Tom,

I completely agree with Richard, what seems to be the problem with
samples?

On Mon, 2002-04-08 at 21:37, Richard Kimber wrote:

    On Mon, 8 Apr 2002 12:47:50 -0700 (Pacific Daylight Time)
    Tom Eastep <teastep@shorewall.net> wrote:
   =20
    > Although the parameterized samples have allowed people to get a
firewall
    > up and running quickly, they have unfortunately set the wrong level of
    > expectation among those who have used them. I am therefore withdrawing
    > support for the samples and I am recommending that they not be used in
    > new Shorewall installations.
   =20
   =20
    > Tom Eastep    \ Shorewall - iptables made easy
   =20
    But aren''t they what make it specially easy?
   =20
    Could you indicate what specific problems there have been? (I''ve
just used
    one in today''s installation, am I vulnerable?).
   =20
    There''s a strong case for a single user sample, simply because
single
    users (like me) not only haven''t mastered iptables, but also can
become
    confused by the excellent but large amount of information provided for
    knowledgeable people with more complex setups, and often don''t know
what
    strategy to adopt, and what the implication of some of the terminology
    are.
   =20
    Single, inexpert, directly connected, users basically need an easily
    installable firewall that allows them to perform all the basic outgoing
    functions (i.e. allow responses to everything they have initiated), allows
    in stuff from their UBR, DNS server, DHCP server, and the cable modem, and
    prohibit everything else.  That sounds to a newbie like me like a
    candidate for a standard setup sample.
   =20
    - Richard.
    --=20
    Richard Kimber
    Political Science Resources        http://www.psr.keele.ac.uk/
   =20
    UK-Euro FAQ          http://www.psr.keele.ac.uk/docs/efaq.htm
    _______________________________________________
    Shorewall-users mailing list
    Shorewall-users@shorewall.net

http://www.shorewall.net/mailman/listinfo/shorewall-users
--=20
The right to read is a battle being fought today...
http://www.gnu.org/philosophy/right-to-read.html

--=-MMTADKjImPtnd7q7TKM+
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN">
<HTML>
<HEAD>
  <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html;
CHARSET=3DUTF-8">
  <META NAME=3D"GENERATOR" CONTENT=3D"GtkHTML/1.0.2">
</HEAD>
<BODY>
Hi Tom,
<BR>

<BR>
I completely agree with Richard, what seems to be the problem with samples?
<BR>

<BR>
On Mon, 2002-04-08 at 21:37, Richard Kimber wrote:
    <BLOCKQUOTE>
<PRE><FONT COLOR=3D"#737373"><FONT
SIZE=3D"3"><I>On Mon, 8 Apr 2002 12:47:50 -0700 (Pacific
Daylight Time)</FONT></FONT></I>
<FONT COLOR=3D"#737373"><FONT
SIZE=3D"3"><I>Tom Eastep
&lt;teastep@shorewall.net&gt; wrote:</FONT></FONT></I>
<FONT COLOR=3D"#737373"><FONT
SIZE=3D"3"><I></FONT></FONT></I>
<FONT COLOR=3D"#737373"><FONT
SIZE=3D"3"><I>&gt; Although the parameterized samples
have allowed people to get a firewall</FONT></FONT></I>
<FONT COLOR=3D"#737373"><FONT
SIZE=3D"3"><I>&gt; up and running quickly, they have
unfortunately set the wrong level of</FONT></FONT></I>
<FONT COLOR=3D"#737373"><FONT
SIZE=3D"3"><I>&gt; expectation among those who have used
them. I am therefore withdrawing</FONT></FONT></I>
<FONT COLOR=3D"#737373"><FONT
SIZE=3D"3"><I>&gt; support for the samples and I am
recommending that they not be used in</FONT></FONT></I>
<FONT COLOR=3D"#737373"><FONT
SIZE=3D"3"><I>&gt; new Shorewall
installations.</FONT></FONT></I>
<FONT COLOR=3D"#737373"><FONT
SIZE=3D"3"><I></FONT></FONT></I>
<FONT COLOR=3D"#737373"><FONT
SIZE=3D"3"><I></FONT></FONT></I>
<FONT COLOR=3D"#737373"><FONT
SIZE=3D"3"><I>&gt; Tom Eastep    \ Shorewall - iptables
made easy</FONT></FONT></I>
<FONT COLOR=3D"#737373"><FONT
SIZE=3D"3"><I></FONT></FONT></I>
<FONT COLOR=3D"#737373"><FONT
SIZE=3D"3"><I>But aren''t they what make it specially
easy?</FONT></FONT></I>
<FONT COLOR=3D"#737373"><FONT
SIZE=3D"3"><I></FONT></FONT></I>
<FONT COLOR=3D"#737373"><FONT
SIZE=3D"3"><I>Could you indicate what specific problems there
have been? (I''ve just used</FONT></FONT></I>
<FONT COLOR=3D"#737373"><FONT
SIZE=3D"3"><I>one in today''s installation, am I
vulnerable?).</FONT></FONT></I>
<FONT COLOR=3D"#737373"><FONT
SIZE=3D"3"><I></FONT></FONT></I>
<FONT COLOR=3D"#737373"><FONT
SIZE=3D"3"><I>There''s a strong case for a single
user sample, simply because single</FONT></FONT></I>
<FONT COLOR=3D"#737373"><FONT
SIZE=3D"3"><I>users (like me) not only haven''t
mastered iptables, but also can become</FONT></FONT></I>
<FONT COLOR=3D"#737373"><FONT
SIZE=3D"3"><I>confused by the excellent but large amount of
information provided for</FONT></FONT></I>
<FONT COLOR=3D"#737373"><FONT
SIZE=3D"3"><I>knowledgeable people with more complex setups,
and often don''t know what</FONT></FONT></I>
<FONT COLOR=3D"#737373"><FONT
SIZE=3D"3"><I>strategy to adopt, and what the implication of
some of the terminology</FONT></FONT></I>
<FONT COLOR=3D"#737373"><FONT
SIZE=3D"3"><I>are.</FONT></FONT></I>
<FONT COLOR=3D"#737373"><FONT
SIZE=3D"3"><I></FONT></FONT></I>
<FONT COLOR=3D"#737373"><FONT
SIZE=3D"3"><I>Single, inexpert, directly connected, users
basically need an easily</FONT></FONT></I>
<FONT COLOR=3D"#737373"><FONT
SIZE=3D"3"><I>installable firewall that allows them to
perform all the basic outgoing</FONT></FONT></I>
<FONT COLOR=3D"#737373"><FONT
SIZE=3D"3"><I>functions (i.e. allow responses to everything
they have initiated), allows</FONT></FONT></I>
<FONT COLOR=3D"#737373"><FONT
SIZE=3D"3"><I>in stuff from their UBR, DNS server, DHCP
server, and the cable modem, and</FONT></FONT></I>
<FONT COLOR=3D"#737373"><FONT
SIZE=3D"3"><I>prohibit everything else.  That sounds to a
newbie like me like a</FONT></FONT></I>
<FONT COLOR=3D"#737373"><FONT
SIZE=3D"3"><I>candidate for a standard setup
sample.</FONT></FONT></I>
<FONT COLOR=3D"#737373"><FONT
SIZE=3D"3"><I></FONT></FONT></I>
<FONT COLOR=3D"#737373"><FONT
SIZE=3D"3"><I>- Richard.</FONT></FONT></I>
<FONT COLOR=3D"#737373"><FONT
SIZE=3D"3"><I>-- </FONT></FONT></I>
<FONT COLOR=3D"#737373"><FONT
SIZE=3D"3"><I>Richard
Kimber</FONT></FONT></I>
<FONT COLOR=3D"#737373"><FONT
SIZE=3D"3"><I>Political Science Resources       
http://www.psr.keele.ac.uk/</FONT></FONT></I>
<FONT COLOR=3D"#737373"><FONT
SIZE=3D"3"><I></FONT></FONT></I>
<FONT COLOR=3D"#737373"><FONT
SIZE=3D"3"><I>UK-Euro FAQ         
http://www.psr.keele.ac.uk/docs/efaq.htm</FONT></FONT></I>
<FONT COLOR=3D"#737373"><FONT
SIZE=3D"3"><I>_______________________________________________</FONT></FONT></I>
<FONT COLOR=3D"#737373"><FONT
SIZE=3D"3"><I>Shorewall-users mailing
list</FONT></FONT></I>
<FONT COLOR=3D"#737373"><FONT
SIZE=3D"3"><I>Shorewall-users@shorewall.net</FONT></FONT></I></PRE>
    </BLOCKQUOTE>
<A
HREF=3D"http://www.shorewall.net/mailman/listinfo/shorewall-users"><FONT
SIZE=3D"3"><I>http://www.shorewall.net/mailman/listinfo/shorewall-users</FONT></I></A>
<TABLE CELLSPACING=3D"0" CELLPADDING=3D"0"
WIDTH=3D"100%">
<TR>
<TD>
<PRE>--=20
The right to read is a battle being fought today...
http://www.gnu.org/philosophy/right-to-read.html</PRE>
</TD>
</TR>
</TABLE>

</BODY>
</HTML>

--=-MMTADKjImPtnd7q7TKM+--

--=-TrfCsVshau2qpgHlXwMC
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQA8sgeGe2qYn+pvHIERApEkAJ9T57DXlZXmKHTeWT0nSqDcjexV7gCghOXq
rZmGTJKGYUESssw7TBLNH6Q=4FvM
-----END PGP SIGNATURE-----

--=-TrfCsVshau2qpgHlXwMC--

Tom,

Those samples are what got me going on the first pass at shorewall.  I woul
hate to see them dissapear.  Couldn''t  you accomplish what you need by
placing a "buyer beware" notice of something along with the samples?

Regards,  Les Hazelton
-----------------------------------------------------------
To all, a wish for health, wealth and time enough to enjoy it.

----- Original Message -----
From: "Tom Eastep" <teastep@shorewall.net>
To: "Shorewall Users" <shorewall-users@shorewall.net>;
"Shorewall
Announcements" <shorewall-announce@shorewall.net>
Sent: Monday, April 08, 2002 3:47 PM
Subject: [Shorewall-users] Parameterized Samples Withdrawn

> Although the parameterized samples have allowed people to get a firewall
> up and running quickly, they have unfortunately set the wrong level of
> expectation among those who have used them. I am therefore withdrawing
> support for the samples and I am recommending that they not be used in new
> Shorewall installations.
>
> -Tom
> --
> Tom Eastep    \ Shorewall - iptables made easy
> AIM: tmeastep  \ http://www.shorewall.net
> ICQ: #60745924  \ teastep@shorewall.net
>
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@shorewall.net
> http://www.shorewall.net/mailman/listinfo/shorewall-users
>

On Mon, 8 Apr 2002, Richard Kimber wrote:
>
> But aren''t they what make it specially easy?
>
Yes -- but see below.
> Could you indicate what specific problems there have been? (I''ve
just used
> one in today''s installation, am I vulnerable?).
>
No -- the samples aren''t going to suddenly quit working.

> There''s a strong case for a single user sample, simply because
single
> users (like me) not only haven''t mastered iptables, but also can
become
> confused by the excellent but large amount of information provided for
> knowledgeable people with more complex setups, and often don''t
know what
> strategy to adopt, and what the implication of some of the terminology
> are.
>
> Single, inexpert, directly connected, users basically need an easily
> installable firewall that allows them to perform all the basic outgoing
> functions (i.e. allow responses to everything they have initiated), allows
> in stuff from their UBR, DNS server, DHCP server, and the cable modem, and
> prohibit everything else.  That sounds to a newbie like me like a
> candidate for a standard setup sample.
>
The problem is that the samples not only hide iptables from the user, they
also hide Shorewall itself from the user. So long as the user only needs
functions provided by the sample, all is well. As soon as the user needs
something not in the sample, they must face the "excellent but large
amount of information". Not only do they now need to understand how
Shorewall works but they also need to understand how the sample that they
are running uses Shorewall to do what it does.

So, I think that a very explicit HOWTO can make configuration nearly as
easy as the samples do and the HOWTO will most definitely do a better
job of preparing people to use Shorewall effectively.

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

Tom,
I wish you wouldn''t withdraw the samples.  The reason people like me
ask so
many dumb questions is because there are a lot of us who would prefer to
learn by modifying a sample and playing with it instead of by reading the
very complete, but (typical of Linux) lengthy documentation.  We don''t
want
to know how Shorewall works, all we want to know is how to turn the darn
thing on and off.  Newbies don''t care about ipsec tunnels, proxies, or
traffic shaping.  All we want is to do is install it, make a couple of quick
modifications, then have a beer; content in the thought that our security
isn''t perfect, and it may not work at all, but it''s bound to
be better than
it was.  We''ll tighten it up tomorrow.

The question is one of viewpoints, and it''s a common situation with
Linux.
At one end we have the new user who just wants to "try" Linux and get
it to
do something - anything useful with a minumum of effort.  At the other end
is the guru, who is tired of answering the same silly questions and would
rather the user read and understand the whole thing first.  The newbie just
wants it to work; he doesn''t care how, how well, or why right now
because
he''ll read the docs and tweak his setup later (maybe).  Newbies
don''t want
to read and understand, we want a sample and some quick pointers for common
setups.  Once our firewall is running and everything still works, THEN
we''ll
read.  It''s kinda like those instructions that came with your
kid''s bike.
Nobody reads those first; we look at the pictures, bolt it all together, and
then we read to figure out where all the extra parts go.  It''s just
human
nature.

I installed Shorewall today on a server that''s already behind a
firewall.
But without a sample to follow, know what I did?  Skimmed the documentation,
then started playing with it.  I figured I could at least gain a little more
security without breaking anything.  After about 2 hours I had to leave, so
here''s my temporary solution:

/etc/shorewall/policy
all	all	ACCEPT

I''m dreading reading the documentation again, but the system had no
firewall
before, so I''m having a beer anyway.  Sure would have been easier with
a
sample.

Sincerely,
Jim Hubbard
jimh@xlproject.com

Visit my website at www.XLProject.com

PS - Why not just ignore any post that begins with "I''m using the
__
interface sample"?

_____________________________________________


> -----Original Message-----
> From: shorewall-users-admin@shorewall.net
> [mailto:shorewall-users-admin@shorewall.net]On Behalf Of Tom Eastep
> Sent: Monday, April 08, 2002 3:48 PM
> To: Shorewall Users; Shorewall Announcements
> Subject: [Shorewall-users] Parameterized Samples Withdrawn
>
>
> Although the parameterized samples have allowed people to get a firewall
> up and running quickly, they have unfortunately set the wrong level of
> expectation among those who have used them. I am therefore withdrawing
> support for the samples and I am recommending that they not be used in new
> Shorewall installations.
>
> -Tom
> --
> Tom Eastep    \ Shorewall - iptables made easy
> AIM: tmeastep  \ http://www.shorewall.net
> ICQ: #60745924  \ teastep@shorewall.net
>
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@shorewall.net
> http://www.shorewall.net/mailman/listinfo/shorewall-users
>

Jim,

On Mon, 8 Apr 2002, Jim Hubbard wrote:
> Tom,
> I wish you wouldn''t withdraw the samples.  The reason people like
me ask so
> many dumb questions is because there are a lot of us who would prefer to
> learn by modifying a sample and playing with it instead of by reading the
> very complete, but (typical of Linux) lengthy documentation.  We
don''t want
> to know how Shorewall works, all we want to know is how to turn the darn
> thing on and off.  Newbies don''t care about ipsec tunnels,
proxies, or
> traffic shaping.  All we want is to do is install it, make a couple of
quick
> modifications, then have a beer; content in the thought that our security
> isn''t perfect, and it may not work at all, but it''s bound
to be better than
> it was.  We''ll tighten it up tomorrow.
>
> The question is one of viewpoints, and it''s a common situation
with Linux.
> At one end we have the new user who just wants to "try" Linux and
get it to
> do something - anything useful with a minumum of effort.  At the other end
> is the guru, who is tired of answering the same silly questions and would
> rather the user read and understand the whole thing first.  The newbie just
> wants it to work; he doesn''t care how, how well, or why right now
because
> he''ll read the docs and tweak his setup later (maybe).  Newbies
don''t want
> to read and understand, we want a sample and some quick pointers for common
> setups.  Once our firewall is running and everything still works, THEN
we''ll
> read.  It''s kinda like those instructions that came with your
kid''s bike.
> Nobody reads those first; we look at the pictures, bolt it all together,
and
> then we read to figure out where all the extra parts go.  It''s
just human
> nature.
>
> I installed Shorewall today on a server that''s already behind a
firewall.
> But without a sample to follow, know what I did?  Skimmed the
documentation,
> then started playing with it.  I figured I could at least gain a little
more
> security without breaking anything.  After about 2 hours I had to leave, so
> here''s my temporary solution:
>
> /etc/shorewall/policy
> all	all	ACCEPT
>
> I''m dreading reading the documentation again, but the system had
no firewall
> before, so I''m having a beer anyway.  Sure would have been easier
with a
> sample.
>
You have eloquently expressed that for newbies the Shorewall Documentation
sucks. Fine -- let''s fix that so that users who "don''t
want to know how
Shorewall works" will be dragged kicking and screaming to the point where
they can do something more in two hours than type a single entry in the
policy file. Ignorance isn''t bliss....

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

LoL - great message - very enjoyable!

Good luck with that firewall...  And enjoy the beer! ;)
> -----Original Message-----
> From: shorewall-users-admin@shorewall.net 
> [mailto:shorewall-users-admin@shorewall.net] On Behalf Of Jim Hubbard
> Sent: Monday, April 08, 2002 11:07 PM
> To: shorewall-users@shorewall.net
> Subject: RE: [Shorewall-users] Parameterized Samples Withdrawn
> 
> 
> Tom,
> I wish you wouldn''t withdraw the samples.  The reason people 
> like me ask so many dumb questions is because there are a lot 
> of us who would prefer to learn by modifying a sample and 
> playing with it instead of by reading the very complete, but 
> (typical of Linux) lengthy documentation.  We don''t want to 
> know how Shorewall works, all we want to know is how to turn 
> the darn thing on and off.  Newbies don''t care about ipsec 
> tunnels, proxies, or traffic shaping.  All we want is to do 
> is install it, make a couple of quick modifications, then 
> have a beer; content in the thought that our security isn''t 
> perfect, and it may not work at all, but it''s bound to be 
> better than it was.  We''ll tighten it up tomorrow.
> 
> The question is one of viewpoints, and it''s a common 
> situation with Linux. At one end we have the new user who 
> just wants to "try" Linux and get it to do something - 
> anything useful with a minumum of effort.  At the other end 
> is the guru, who is tired of answering the same silly 
> questions and would rather the user read and understand the 
> whole thing first.  The newbie just wants it to work; he 
> doesn''t care how, how well, or why right now because
he''ll
> read the docs and tweak his setup later (maybe).  Newbies 
> don''t want to read and understand, we want a sample and some 
> quick pointers for common setups.  Once our firewall is 
> running and everything still works, THEN we''ll read. 
It''s
> kinda like those instructions that came with your kid''s bike. 
> Nobody reads those first; we look at the pictures, bolt it 
> all together, and then we read to figure out where all the 
> extra parts go.  It''s just human nature.
> 
> I installed Shorewall today on a server that''s already behind 
> a firewall. But without a sample to follow, know what I did?  
> Skimmed the documentation, then started playing with it.  I 
> figured I could at least gain a little more security without 
> breaking anything.  After about 2 hours I had to leave, so 
> here''s my temporary solution:
> 
> /etc/shorewall/policy
> all	all	ACCEPT
> 
> I''m dreading reading the documentation again, but the system 
> had no firewall before, so I''m having a beer anyway.  Sure 
> would have been easier with a sample.
> 
> Sincerely,
> Jim Hubbard
> jimh@xlproject.com
> 
> Visit my website at www.XLProject.com
> 
> PS - Why not just ignore any post that begins with "I''m using
> the __ interface sample"?
> 
> _____________________________________________
> 
> 
> 
> > -----Original Message-----
> > From: shorewall-users-admin@shorewall.net
> > [mailto:shorewall-users-admin@shorewall.net]On Behalf Of Tom Eastep
> > Sent: Monday, April 08, 2002 3:48 PM
> > To: Shorewall Users; Shorewall Announcements
> > Subject: [Shorewall-users] Parameterized Samples Withdrawn
> >
> >
> > Although the parameterized samples have allowed people to get a 
> > firewall up and running quickly, they have unfortunately 
> set the wrong 
> > level of expectation among those who have used them. I am therefore 
> > withdrawing support for the samples and I am recommending that they 
> > not be used in new Shorewall installations.
> >
> > -Tom
> > --
> > Tom Eastep    \ Shorewall - iptables made easy
> > AIM: tmeastep  \ http://www.shorewall.net
> > ICQ: #60745924  \ teastep@shorewall.net
> >
> > _______________________________________________
> > Shorewall-users mailing list
> > Shorewall-users@shorewall.net 
> > http://www.shorewall.net/mailman/listinfo/shorewall-users
> >
> 
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@shorewall.net 
> http://www.shorewall.net/mailman/listinfo/shorewall-users
>

I have to add my two cents here -

I''m gonna have to side with Tom on this one.
Although the parameterized solutions may get you off the ground quicker, it is
not that much more trouble to configure the few entries needed by a default
system. After using Shorewall for quite a while now, I progressed from a basic
two port version (with IPchains firewall behind), to a three port version. There
was a bit of a learning curve, but it was in my interest to learn.
I recently decided to toy with "Bering" (the floppy shorewall).It uses
parameterized settings. Since it is built around a two interface concept, it
needed to be changed to work in my three interface setup. I can honestly say, it
took me hours to figure out what they were doing in those configuration files.
To me, it just doesn''t seem as logical to follow as non-parameterized.

And I consider myself a newbie...
remember: command line is your friend, especially when you just misconfigured X!

Wayne
admin@kiteflyer.com 


---------------------------------------------

Hi Tom,

What about a "Wizard" for the "must run quickly"?

I have configured quite a number of shorewall firewalls and I have made
the first with the two interface sample. The problem was that it was not
so easy and I heavily modified the parameter sample to achieve what I
needed. So I can say I really understand your desicion.

When I started with the next firewall, I took a look at your own
configuration and easy figured out what I have to do. The doc was then
easy to understand.

Now, I think one good solution was to provide and easy to use firewall
configuration script which does create useful shorewall configs. It
could be really limited in funtionality like all those "personal
firewalls" out there on WinDO$.
So any new user can just create an initial firewall with the wizard. For
anything else, he has to modifiy the generated config by hand after
reading the docs.

-Simon


Tom Eastep schrieb:
> 
> Although the parameterized samples have allowed people to get a firewall
> up and running quickly, they have unfortunately set the wrong level of
> expectation among those who have used them. I am therefore withdrawing
> support for the samples and I am recommending that they not be used in new
> Shorewall installations.
> 
> -Tom
> --
> Tom Eastep    \ Shorewall - iptables made easy
> AIM: tmeastep  \ http://www.shorewall.net
> ICQ: #60745924  \ teastep@shorewall.net
> 
> _______________________________________________
> Shorewall-announce mailing list
> Shorewall-announce@shorewall.net
> http://www.shorewall.net/mailman/listinfo/shorewall-announce

My AU$0.02: way to go, Tom - you tell ''em!  :-)

But seriously folks...

Richard Kimber wrote:
> On Mon, 8 Apr 2002 12:47:50 -0700 (Pacific Daylight Time)
> Tom Eastep <teastep@shorewall.net> wrote:
>
> > Although the parameterized samples have allowed people to get a
firewall
> > up and running quickly, they have unfortunately set the wrong level of
> > expectation among those who have used them. I am therefore withdrawing
> > support for the samples and I am recommending that they not be used in
> > new Shorewall installations.
>
> But aren''t they what make it specially easy?
In short, no.  What makes Shorewall easy is the concept of zones and the
ability to be able to easily define your traffic flow in terms of those
zones.
> ...
> There''s a strong case for a single user sample, simply because
single
> users (like me) not only haven''t mastered iptables, but also can
become
> confused by the excellent but large amount of information provided for
> knowledgeable people with more complex setups, and often don''t
know what
> strategy to adopt, and what the implication of some of the terminology
> are.
>
> Single, inexpert, directly connected, users basically need an easily
> installable firewall that allows them to perform all the basic outgoing
> functions (i.e. allow responses to everything they have initiated), allows
> in stuff from their UBR, DNS server, DHCP server, and the cable modem, and
> prohibit everything else.  That sounds to a newbie like me like a
> candidate for a standard setup sample.
I agree that there is a need for sample configurations, but not for the
*parameterized* samples previously provided.  As Tom has stated, they give
the wrong impression about using Shorewall.  The parameter is simply a
convenient place to put frequently used hosts and things.  It should not be
used to define all your trusted ports - that''s what the rules file is
for.

Tom, what about publishing the unparameterized samples i previously sent
you?  I think it would be good if all the interfaces and rules were commented
out by default, with explanations of what each one does if uncommented. 
I''d
be happy to maintain and (partially) support them if people find them useful.

admin@kiteflyer.com wrote:
> ...
> I''m gonna have to side with Tom on this one.
> Although the parameterized solutions may get you off the ground quicker, it
> is
> not that much more trouble to configure the few entries needed by a default
>
> system.
> ...
> To me, it just doesn''t seem as logical to follow as
non-parameterized.
Hear, hear!  That''s what i''ve been telling people for some
time.

Paul
http://paulgear.webhop.net

On Tue, 9 Apr 2002, Paul Gear wrote:
> My AU$0.02: way to go, Tom - you tell ''em!  :-)
>
I knew you''d be pleased :-)
>
> I agree that there is a need for sample configurations, but not for the
> *parameterized* samples previously provided.  As Tom has stated, they give
> the wrong impression about using Shorewall.  The parameter is simply a
> convenient place to put frequently used hosts and things.  It should not be
> used to define all your trusted ports - that''s what the rules file
is for.
>
I agree entirely.
> Tom, what about publishing the unparameterized samples i previously sent
> you?  I think it would be good if all the interfaces and rules were
commented
> out by default, with explanations of what each one does if uncommented. 
I''d
> be happy to maintain and (partially) support them if people find them
useful.
>
I''ll dig them out and have a look.

Thanks,
-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

On Mon, 8 Apr 2002 23:12:56 EST
admin@kiteflyer.com wrote:
> Although the parameterized solutions may get you off the ground quicker,
> it is not that much more trouble to configure the few entries needed by
It''s not (for me at least) a matter of taking the trouble to do
something,
I''m prepared to do a great deal.  The problem lies in not having the
understanding to be able to do something that is potentially dangerous
with confidence.
> a default system. After using Shorewall for quite a while now, I
> progressed from a basic two port version (with IPchains firewall
> behind), to a three port version. There was a bit of a learning curve,
> but it was in my interest to learn.
There''s a difficult problem here, to do with what one''s
relationship to
the computer is.  People like me use it essentially for non-computing
ends: writing simple programs to analyse election results, and running a
largish website of resources.  These activities in themselves take up
large amounts of time.  Then there is keeping my distribution up to
scratch and housekeeping (e.g. doing backups), getting necessary apps
working, and so on ....   Unless one is a systems administrator by
inclination or profession, there isn''t the time, or the need, to embark
on
such a learning curve.  The knowledge gained would be discarded
immediately the firewall was up and running.  For many people like me
setting up a firewall is a once-and-for-all process that doesn''t
justify a
big learning investment.

If I can draw an analogy, it''s a bit like the kernel - it''s
crucial, but
all I need to do is use the wizard (i.e. make xconfig) and then go through
the make process.  I don''t understand anything about how it works, and
could never write a kernel patch.  I think that''s how a firewall should
be.  Simple to set up for basic situations, but modifiable by those who
need something different and more complex and know how to do it.

BTW, in case it hasn''t come through what I''ve been saying, I
think
Shorewall is an impressive product - which is of course why I chose to try
it.  I''m just making a plea not to forget the many who are in my type
of
situation (as Linux becomes more popular and broadband becomes more
widespread, we shall become more numerous).

-Richard.
-- 
Richard Kimber
Political Science Resources        http://www.psr.keele.ac.uk/

UK-Euro FAQ          http://www.psr.keele.ac.uk/docs/efaq.htm

> -----Original Message-----
> From: Tom Eastep [mailto:teastep@shorewall.net]
> Sent: Tuesday, April 09, 2002 8:21 AM
> To: Paul Gear
> Cc: Shorewall Users
> Subject: Re: [Shorewall-users] Parameterized Samples Withdrawn
> 
> 
> On Tue, 9 Apr 2002, Paul Gear wrote:
> 
> > My AU$0.02: way to go, Tom - you tell ''em!  :-)
> >
> 
> I knew you''d be pleased :-)
> 
> >
> > I agree that there is a need for sample configurations, but 
> > not for the *parameterized* samples previously provided.
> > As Tom has stated, they give the wrong impression about using
> > Shorewall.  The parameter is simply a convenient place to put
> > frequently used hosts and things.  It should not be used to
> > define all your trusted ports - that''s what the rules file
> > is for.
> >
> 
> I agree entirely.
> 
> > Tom, what about publishing the unparameterized samples i 
> > previously sent you?  I think it would be good if all the
> > interfaces and rules were commented out by default, with
> > explanations of what each one does if uncommented.  I''d
> > be happy to maintain and (partially) support them if people 
> > find them useful.
> >
> 
> I''ll dig them out and have a look.
Whew!!! Talk about stirring up a hornets nest.

Personally, I would like to see unparameterized samples that have a common
30,000 foot documented format. i.e. In the rules file, have sections
defining each zone->zone combination. This would allow all of us to start on
the same page (so to speak). I know when someone makes a post to this list
where they are referencing the current parameterized example files, I just
ignore them because I do not feel like trying to cross reference the
parameters to which shorewall file they are being used in. Call me lazy, but
I would rather respond to someone''s question with... under the
internet->local section of the rules file -- add the following rule.

FWIW: I use the following format in my rules file.

############################################################################
########################### Internet -> Local ##############################
############################################################################
#RESULT CLIENT(S) SERVER(S)     PROTO   PORT(S) CLIENT PORT(S) ADDRESS
#
# Define the services that will be made available from the Internet to
# Local LAN systems.

# Accept/Forward inbound tcp port 81 to IIS Server port 80 (OWA) -
192.168.9.2
# Accept/Forward inbound tcp port 1723 (PPTP) to PPTP Server - 192.168.9.3
# Accept/Forward inbound gre protocol requests to PPTP server - 192.168.9.3
 
ACCEPT  net       loc:192.168.9.2:80  tcp   81             -     all
ACCEPT  net       loc:192.168.9.3     tcp   1723           -     all
ACCEPT  net       loc:192.168.9.3     47    -              -     all


############################################################################
########################### Local -> Internet ##############################
############################################################################
#RESULT CLIENT(S) SERVER(S)     PROTO   PORT(S) CLIENT PORT(S) ADDRESS
 
# Allow "all" traffic from private LAN to Internet. This is
# accomplished by adding the following policy and masq file entries.
 
# policy file: loc             net             ACCEPT
# masq file:   eth0            192.168.9.0/24
 
# Only list exceptions to the above here.
 
REJECT:info loc   net             tcp   6667


Furthermore, (so that we are all starting from the same page) I would like
to see an "initial" install script for shorewall that prompts for
basic
network design parameters similar to how the "firewall in a box"
manufactures like netgear, linksys, etc... do. Then the install script
creates a standard set of shorewall parameter files. Something like the
following:

1) Which interface is external? (eth0/eth1)
2) Is the external interface''s ip address assigned through DHCP?
3) Does the external interface require PPPoE? <groan!>
4) DNS servers that the firewall will use for name resolution?
5) Which interface is internal? (eth0/eth1)
6) What is the LAN address of the internal interface? (192.168.1.0/24)

With any of the above prompts, a context sensitive help would be available
that outlines (at a 30,000 foot view) what should be entered for each
prompt. By default, the initial install script would create all the
necessary shorewall configs files (based on the above prompts) with a
default policy of DENY all inbound traffic.

Now that we are all starting on the same page, create detailed documentation
that describes (chapter 1) theory of operation for shorewall/net-filter and
also chapters on how to modify the default to fit your current requirements.
i.e. port forwarding. BTW: Tom, you already have a good start on this.

For those super newbies, I found the following netgear site rather
interesting. Maybe we could adapt its format to fit shorewall.

http://www.netgear-support.com/ts/doc/ispguide.htm

Just my two bits
Steve Cowles

Now this sounds good.  Anything that makes it easier for newbies to just
pick it up and use it is good (I like the Webmin module too).  The Linux
community should move away from the whole "you must learn the hard way
before you''re worthy" idea.  Can you imagine that kind of thinking
from MS
or Apple?

All of us reading this list have already expended far more effort to learn
Linux than Joe Sixpack ever will.  But the fact is, we need Joe to come on
board if we want Linux to continue to grow.

Sincerely,
Jim Hubbard

Visit us online at www.dyersinc.com
______________________________________________________




> -----Original Message-----
> From: shorewall-users-admin@shorewall.net
> [mailto:shorewall-users-admin@shorewall.net]On Behalf Of Cowles, Steve
> Sent: Tuesday, April 09, 2002 11:23 AM
> To: Shorewall Users
> Subject: RE: [Shorewall-users] Parameterized Samples Withdrawn
>
> Furthermore, (so that we are all starting from the same page) I would like
> to see an "initial" install script for shorewall that prompts for
basic
> network design parameters similar to how the "firewall in a box"
> manufactures like netgear, linksys, etc... do.
>

On Tue, 9 Apr 2002 10:22:47 -0500
"Cowles, Steve" <Steve@SteveCowles.com> wrote:
> Furthermore, (so that we are all starting from the same page) I would
> like to see an "initial" install script for shorewall that
prompts for
> basic network design parameters similar to how the "firewall in a
box"
> manufactures like netgear, linksys, etc... do. Then the install script
> creates a standard set of shorewall parameter files. Something like the
> following:
> 
> 1) Which interface is external? (eth0/eth1)
> 2) Is the external interface''s ip address assigned through DHCP?
> 3) Does the external interface require PPPoE? <groan!>
> 4) DNS servers that the firewall will use for name resolution?
> 5) Which interface is internal? (eth0/eth1)
> 6) What is the LAN address of the internal interface? (192.168.1.0/24)
This is the kind of thing I meant when I referred to wizards and
pmfirewall previously.  If such an install script were to be envisaged,
perhaps there could be a discussion on the general format.

-Richard.
-- 
Richard Kimber
Political Science Resources        http://www.psr.keele.ac.uk/

UK-Euro FAQ          http://www.psr.keele.ac.uk/docs/efaq.htm

Ok, I''m posting again,

I still don''t get what the big deal is for "newbies" (of
which I consider
myself one).I can certainly understand where most are comming from, I hate the 
fact that I sometimes have to read 20 pages of faqs to find a basic setup 
(examples speak 1000 words - thanks tom). It''s nice to be able to
utilize
someone else''s work or have it work right out the box.

The issue here is if it is a better idea to have a file that lists:
$INET_HOST= , $LOCAL_HOST=, etc.

or to say:
your internet address must be defined in the interface file "NET ETH0"
etc.

For most newbies, I assume Shorewall is used as a firewall between a windows 
machine (or machines) and the internet. It will do nothing more than
"protect"
them and act as a MASQ (proxy) for the local network.
In shorewall''s out the box form, it does just that. I only see three
main steps
for a newbie:
define the net interface.
define the local interface.
define the interface to be MASQed.
Voila!

It''s only when you start mangling that you get into trouble ("but
I want to run
a mail/web/game/??? server"). At that point I think you owe it to yourself
to
learn what the rules you are creating really mean (unless you like being hacked 
and becoming a spam relay, warez server, etc.).

OK, so maybe we need a better "newbie" document - say "Shorewall
in 10 minutes
or less", but I don''t see the advantage to having new users learn
how to use
Shorewall twice. It wasn''t fun.

Wayne
admin@kiteflyer.com



---------------------------------------------

On Tue, 9 Apr 2002 16:32:29 GMT
admin@kiteflyer.com wrote:
> Ok, I''m posting again,
> 
> I still don''t get what the big deal is for "newbies" (of
which I
> consider myself one).I can certainly understand where most are comming
> from, I hate the fact that I sometimes have to read 20 pages of faqs to
> find a basic setup (examples speak 1000 words - thanks tom). It''s
nice
> to be able to utilize someone else''s work or have it work right
out the
> box.
I regret introducing the ''newbie'' term.  As I indicated
earlier the issue
I''m concerned about is the need for a firewall on the part of inexpert
people with very simple needs (one PC directly connected, no services
run).

I''m sorry if I''ve caused confusion.  I agree entirely that if
anyone wants
to do anything fancy, then they must learn the rules.

- Richard.
-- 
Richard Kimber
Political Science Resources        http://www.psr.keele.ac.uk/

UK-Euro FAQ          http://www.psr.keele.ac.uk/docs/efaq.htm

I can''t attest to the overall quality of it, but you can check out
"Linux Firewalls Second Edition" written by Robert L. Ziegler and
published by New Riders.  It does cover iptables in some detail as well
as some other security related topics.

Patrick

-----Original Message-----
From: Richard Kimber [mailto:rkimber@ntlworld.com]
Sent: Tuesday, April 09, 2002 12:52 PM
To: shorewall
Subject: Re: [Shorewall-users] Parameterized Samples Withdrawn


On Tue, 9 Apr 2002 16:32:29 GMT
admin@kiteflyer.com wrote:
> Ok, I''m posting again,
>=20
> I still don''t get what the big deal is for "newbies" (of
which I
> consider myself one).I can certainly understand where most are comming
> from, I hate the fact that I sometimes have to read 20 pages of faqs
to
> find a basic setup (examples speak 1000 words - thanks tom). It''s
nice
> to be able to utilize someone else''s work or have it work right
out
the
> box.
I regret introducing the ''newbie'' term.  As I indicated
earlier the
issue
I''m concerned about is the need for a firewall on the part of inexpert
people with very simple needs (one PC directly connected, no services
run).

I''m sorry if I''ve caused confusion.  I agree entirely that if
anyone
wants
to do anything fancy, then they must learn the rules.

- Richard.
--=20
Richard Kimber
Political Science Resources        http://www.psr.keele.ac.uk/

UK-Euro FAQ          http://www.psr.keele.ac.uk/docs/efaq.htm
_______________________________________________
Shorewall-users mailing list
Shorewall-users@shorewall.net
http://www.shorewall.net/mailman/listinfo/shorewall-users

I agree with Tom that the samples as they are right now are setting the
wrong level of expectation as he puts it. I think one issue most people
new to firewalling (apart from setting the basics) is to know what to
block or allow depending of the protocols/services used.

I think a great service to all would be to have a contrib directory
where people give examples of their rules configuration for allowing or
disallowing a particular service.

People could then copy those rules into their rule file and change the
zones accordingly. I think that will be more valuable than what the
current samples do. Let''s face it, we all need to open pinholes in our
firewall at some point. We just need to make sure they are not too big.

Regards

Pascal 

On Tue, 2002-04-09 at 09:20, Jim Hubbard wrote:
> Now this sounds good.  Anything that makes it easier for newbies to just
> pick it up and use it is good (I like the Webmin module too).  The Linux
> community should move away from the whole "you must learn the hard way
> before you''re worthy" idea.  Can you imagine that kind of
thinking from MS
> or Apple?
> 
> All of us reading this list have already expended far more effort to learn
> Linux than Joe Sixpack ever will.  But the fact is, we need Joe to come on
> board if we want Linux to continue to grow.
> 
> Sincerely,
> Jim Hubbard
> 
> Visit us online at www.dyersinc.com
> ______________________________________________________
> 
> 
> 
> 
> 
> > -----Original Message-----
> > From: shorewall-users-admin@shorewall.net
> > [mailto:shorewall-users-admin@shorewall.net]On Behalf Of Cowles, Steve
> > Sent: Tuesday, April 09, 2002 11:23 AM
> > To: Shorewall Users
> > Subject: RE: [Shorewall-users] Parameterized Samples Withdrawn
> >
> > Furthermore, (so that we are all starting from the same page) I would
like
> > to see an "initial" install script for shorewall that
prompts for basic
> > network design parameters similar to how the "firewall in a
box"
> > manufactures like netgear, linksys, etc... do.
> >
> 
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@shorewall.net
> http://www.shorewall.net/mailman/listinfo/shorewall-users

Pascal has nailed it for me.  I can read the docs to see how to specify
rules and without too many lapses get the rules entered.  My problem still
is understanding what ports and why special attention is warranted for
some.

Anyone who can make a list of ports and exploits to lock out on those
ports will be doing a great service!

-- 
Sincerely,

David Smead
http://www.amplepower.com.

On 9 Apr 2002, Pascal DeMilly wrote:
> I agree with Tom that the samples as they are right now are setting the
> wrong level of expectation as he puts it. I think one issue most people
> new to firewalling (apart from setting the basics) is to know what to
> block or allow depending of the protocols/services used.
>
> I think a great service to all would be to have a contrib directory
> where people give examples of their rules configuration for allowing or
> disallowing a particular service.
>
> People could then copy those rules into their rule file and change the
> zones accordingly. I think that will be more valuable than what the
> current samples do. Let''s face it, we all need to open pinholes in
our
> firewall at some point. We just need to make sure they are not too big.
>
> Regards
>
> Pascal
>
> On Tue, 2002-04-09 at 09:20, Jim Hubbard wrote:
> > Now this sounds good.  Anything that makes it easier for newbies to
just
> > pick it up and use it is good (I like the Webmin module too).  The
Linux
> > community should move away from the whole "you must learn the
hard way
> > before you''re worthy" idea.  Can you imagine that kind
of thinking from MS
> > or Apple?
> >
> > All of us reading this list have already expended far more effort to
learn
> > Linux than Joe Sixpack ever will.  But the fact is, we need Joe to
come on
> > board if we want Linux to continue to grow.
> >
> > Sincerely,
> > Jim Hubbard
> >
> > Visit us online at www.dyersinc.com
> > ______________________________________________________
> >
> >
> >
> >
> >
> > > -----Original Message-----
> > > From: shorewall-users-admin@shorewall.net
> > > [mailto:shorewall-users-admin@shorewall.net]On Behalf Of Cowles,
Steve
> > > Sent: Tuesday, April 09, 2002 11:23 AM
> > > To: Shorewall Users
> > > Subject: RE: [Shorewall-users] Parameterized Samples Withdrawn
> > >
> > > Furthermore, (so that we are all starting from the same page) I
would like
> > > to see an "initial" install script for shorewall that
prompts for basic
> > > network design parameters similar to how the "firewall in a
box"
> > > manufactures like netgear, linksys, etc... do.
> > >
> >
> > _______________________________________________
> > Shorewall-users mailing list
> > Shorewall-users@shorewall.net
> > http://www.shorewall.net/mailman/listinfo/shorewall-users
>
>
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@shorewall.net
> http://www.shorewall.net/mailman/listinfo/shorewall-users
>

On Tue, 9 Apr 2002, David Smead wrote:
> Pascal has nailed it for me.  I can read the docs to see how to specify
> rules and without too many lapses get the rules entered.  My problem still
> is understanding what ports and why special attention is warranted for
> some.
>
> Anyone who can make a list of ports and exploits to lock out on those
> ports will be doing a great service!
>
That''s the intent of http://www.shorewall.net/ports.htm although it
could
certainly be expanded. Note that there''s a link at the bottom of that
page
to Network Ice''s port information page that has a host of information
about ports used by Trojans.

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

> > Anyone who can make a list of ports and exploits to lock out on those
> > ports will be doing a great service!
>
> That''s the intent of http://www.shorewall.net/ports.htm although
it could
> certainly be expanded. Note that there''s a link at the bottom of
that page
> to Network Ice''s port information page that has a host of
information
> about ports used by Trojans.
Check out http://www.robertgraham.com/pubs/firewall-seen.html for information 
about various ports.