--On Monday, February 24, 2003 11:55:48 AM -0700 Mike Robinson <miker@sundialservices.com> wrote:> > I''ll stick with my original suggestion, and consider it very important. > Even though users might say "why isn''t blah-blah in the services-file," > once the data was supplied in the file and distributed, no one would > have to repeat the question.It''s easy to take that position all right when someone else has to answer the questions and someone else has to verify the information put into the file.> > "ports.htm" keeps the "geek factor" too-firmly front and center: "In the > end, you still have to be a TCP/IP geek to set it up correctly."Well, the original slogan for Shorewall could very well have been "Built by a geek for geeks". At one time, the Shorewall requirements list included that the user must be IP knowledgeable. It was only later that I was started spending a substantial portion of my time on entry-level documentation, sample configurations and the like.> Ordinary firewalls should be easy to set up reliably. In my view, if > "it all comes down to a port-list that must be edited by hand," the > essential problem that ought to be addressed by a firewall-management > product really has not been adequately addressed at all.Pardon me if I tend to consider Shorewall to be an extraordinary firewall :-) You are of course entitled to your opinion.> > If I have to browse an HTML file, "figure it out" and correctly set up a > port list, with the consequences being that if I fail to do so my > firewall will not work correctly (and maybe I have to drive across town > or worse to fix it), then ... I submit to you that I am being forced > unnecessarily to do something that a computer algorithm could do in a > split-second if the data contained in (say) "ports.htm" were merely > expressed in an appropriately formatted file. > > People should be able to think of firewalls as opening and closing access > to services on their computer, not TCP/IP ports.$DIETY forbid that a firewall administrator should know anything about IP all right.> > I /think/ that Shorewall is right for me. If it had this feature there > would be no doubt because I would have confidence that the knowledge > placed at my fingertips by means of this service file will correctly > translate my wishes ("local users may have access to this service") into > a correct specification of Internet ports ... with no errors. > > Remember that for security purposes I want neither of the errors that I > could so easily otherwise make. I don''t want a port to be open if it > should be closed, and I do not want a port to be closed if it should be > open. I urgently wish for the /computer/ to make the appropriate > determination for me.I will consider adding this capability to Shorewall 2.0 -- I''m not interested in spending any time adding it to the 1.4 series. And I still have reservations...> > Otherwise... shouldn''t I just be learning iptables comand-lines? :-{ > Or, more likely, continuing to search for a suitable firewall management > product.May your search be fruitful... -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep wrote:> ... > >> "ports.htm" keeps the "geek factor" too-firmly front and center: "In the >> end, you still have to be a TCP/IP geek to set it up correctly." > > > Well, the original slogan for Shorewall could very well have been > "Built by a geek for geeks". At one time, the Shorewall requirements > list included that the user must be IP knowledgeable. It was only > later that I was started spending a substantial portion of my time on > entry-level documentation, sample configurations and the like.Perhaps i can presume to speak for Tom here: shorewall is an iptables preprocessor. It makes it easy to configure rules in iptables. It isn''t a personal firewall like Zone Alarm or Kerio PF, it''s a server/router firewall. It requires a TCP/IP geek to operate (for the most part), because servers and routers require one. It would be great if it could fill both roles, but at present it doesn''t. In my opinion, tasks like that would be better left to a graphical frontend to Shorewall which provided the means for end-users to configure it.>> Ordinary firewalls should be easy to set up reliably. In my view, if >> "it all comes down to a port-list that must be edited by hand," the >> essential problem that ought to be addressed by a firewall-management >> product really has not been adequately addressed at all. > > > Pardon me if I tend to consider Shorewall to be an extraordinary > firewall :-) You are of course entitled to your opinion.I hope Tom will pardon me if i don''t consider Shorewall to be a firewall management product. :-) My brain is the firewall management product. Shorewall is just the part that enables me to think in zones and rules rather than iptables command lines. Mike, i think part of the problem here might be that you are expecting Shorewall to solve a problem that it isn''t designed to solve. That''s not a huge problem - if you think it should solve the problem, patch it until you think it''s as it should be and submit the patches to Tom. He''s quite open to receiving improvements from others. :-)>> ... >> People should be able to think of firewalls as opening and closing >> access >> to services on their computer, not TCP/IP ports. > > > $DIETY forbid that a firewall administrator should know anything about > IP all right.s/\$DIETY/\$DEITY/g Are you on a diet or something, Tom? 8^)>> ... >> Otherwise... shouldn''t I just be learning iptables comand-lines? :-{ >> Or, more likely, continuing to search for a suitable firewall >> management >> product. > > > May your search be fruitful...Now Tom... Just because you know you have the best iptables firewall generator... ;-) PDG
--On Tuesday, February 25, 2003 06:37:11 AM +1000 Paul Gear <paul@gear.dyndns.org> wrote:> > > Perhaps i can presume to speak for Tom here: shorewall is an iptables > preprocessor. It makes it easy to configure rules in iptables. It isn''t > a personal firewall like Zone Alarm or Kerio PF, it''s a server/router > firewall. It requires a TCP/IP geek to operate (for the most part), > because servers and routers require one. It would be great if it could > fill both roles, but at present it doesn''t. In my opinion, tasks like > that would be better left to a graphical frontend to Shorewall which > provided the means for end-users to configure it.I had that same thought -- a pull-down of registered "services" in the Webmin module would make sense. A facility whereby you look into one file to find the name of the service that you are configuring and then transcribe that name into another file doesn''t add much value over the ports.htm file IMNSHO.> >>> Ordinary firewalls should be easy to set up reliably. In my view, if >>> "it all comes down to a port-list that must be edited by hand," the >>> essential problem that ought to be addressed by a firewall-management >>> product really has not been adequately addressed at all. >> >> >> Pardon me if I tend to consider Shorewall to be an extraordinary >> firewall :-) You are of course entitled to your opinion. > > > I hope Tom will pardon me if i don''t consider Shorewall to be a firewall > management product. :-) My brain is the firewall management product.:-)> Shorewall is just the part that enables me to think in zones and rules > rather than iptables command lines. > > Mike, i think part of the problem here might be that you are expecting > Shorewall to solve a problem that it isn''t designed to solve. That''s not > a huge problem - if you think it should solve the problem, patch it until > you think it''s as it should be and submit the patches to Tom. He''s quite > open to receiving improvements from others. :-) >Indeed -- just please start from the /Shorewall thread in CVS since that''s were the upcoming 1.4.0 will derive from.>>> ... >>> People should be able to think of firewalls as opening and closing >>> access >>> to services on their computer, not TCP/IP ports. >> >> >> $DIETY forbid that a firewall administrator should know anything about >> IP all right. > > s/\$DIETY/\$DEITY/g > > Are you on a diet or something, Tom? 8^)Nah -- I just can''t type.. :-\> >>> ... >>> Otherwise... shouldn''t I just be learning iptables comand-lines? :-{ >>> Or, more likely, continuing to search for a suitable firewall >>> management >>> product. >> >> >> May your search be fruitful... > > > Now Tom... Just because you know you have the best iptables firewall > generator... ;-) >But on the other hand, there are products that are a lot more popular than Shorewall so those products must be providing the kinds of features that a lot of people want - I suspect that Mike is one of those people. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net