[Shorewall-users] Parameterized Samples Withdrawn

Tom Eastep teastep@shorewall.net
Mon, 8 Apr 2002 16:38:38 -0700 (Pacific Daylight Time)


On Mon, 8 Apr 2002, Richard Kimber wrote:

>
> But aren't they what make it specially easy?
>

Yes -- but see below.

> Could you indicate what specific problems there have been? (I've just used
> one in today's installation, am I vulnerable?).
>

No -- the samples aren't going to suddenly quit working.


> There's a strong case for a single user sample, simply because single
> users (like me) not only haven't mastered iptables, but also can become
> confused by the excellent but large amount of information provided for
> knowledgeable people with more complex setups, and often don't know what
> strategy to adopt, and what the implication of some of the terminology
> are.
>
> Single, inexpert, directly connected, users basically need an easily
> installable firewall that allows them to perform all the basic outgoing
> functions (i.e. allow responses to everything they have initiated), allows
> in stuff from their UBR, DNS server, DHCP server, and the cable modem, and
> prohibit everything else.  That sounds to a newbie like me like a
> candidate for a standard setup sample.
>

The problem is that the samples not only hide iptables from the user, they
also hide Shorewall itself from the user. So long as the user only needs
functions provided by the sample, all is well. As soon as the user needs
something not in the sample, they must face the "excellent but large
amount of information". Not only do they now need to understand how
Shorewall works but they also need to understand how the sample that they
are running uses Shorewall to do what it does.

So, I think that a very explicit HOWTO can make configuration nearly as
easy as the samples do and the HOWTO will most definitely do a better
job of preparing people to use Shorewall effectively.

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net