[Shorewall-users] Parameterized Samples Withdrawn

Paul Gear paulgear@bigfoot.com
Tue, 09 Apr 2002 18:22:45 +1000

My AU$0.02: way to go, Tom - you tell 'em!  :-)

But seriously folks...

Richard Kimber wrote:

> On Mon, 8 Apr 2002 12:47:50 -0700 (Pacific Daylight Time)
> Tom Eastep <teastep@shorewall.net> wrote:
> > Although the parameterized samples have allowed people to get a firewall
> > up and running quickly, they have unfortunately set the wrong level of
> > expectation among those who have used them. I am therefore withdrawing
> > support for the samples and I am recommending that they not be used in
> > new Shorewall installations.
> But aren't they what make it specially easy?

In short, no.  What makes Shorewall easy is the concept of zones and the
ability to be able to easily define your traffic flow in terms of those

> ...
> There's a strong case for a single user sample, simply because single
> users (like me) not only haven't mastered iptables, but also can become
> confused by the excellent but large amount of information provided for
> knowledgeable people with more complex setups, and often don't know what
> strategy to adopt, and what the implication of some of the terminology
> are.
> Single, inexpert, directly connected, users basically need an easily
> installable firewall that allows them to perform all the basic outgoing
> functions (i.e. allow responses to everything they have initiated), allows
> in stuff from their UBR, DNS server, DHCP server, and the cable modem, and
> prohibit everything else.  That sounds to a newbie like me like a
> candidate for a standard setup sample.

I agree that there is a need for sample configurations, but not for the
*parameterized* samples previously provided.  As Tom has stated, they give
the wrong impression about using Shorewall.  The parameter is simply a
convenient place to put frequently used hosts and things.  It should not be
used to define all your trusted ports - that's what the rules file is for.

Tom, what about publishing the unparameterized samples i previously sent
you?  I think it would be good if all the interfaces and rules were commented
out by default, with explanations of what each one does if uncommented.  I'd
be happy to maintain and (partially) support them if people find them useful.

admin@kiteflyer.com wrote:

> ...
> I'm gonna have to side with Tom on this one.
> Although the parameterized solutions may get you off the ground quicker, it
> is
> not that much more trouble to configure the few entries needed by a default
> system.
> ...
> To me, it just doesn't seem as logical to follow as non-parameterized.

Hear, hear!  That's what i've been telling people for some time.