[Shorewall-users] Re: Shorewall-users digest, Vol 1 #122 - 10 msgs

Mark Hoover mhoover@nps.k12.va.us
Tue, 09 Apr 2002 08:38:10 -0400


--__--__--

From: "Jim Hubbard" <jimh@xlproject.com>
Subject: RE: [Shorewall-users] Parameterized Samples Withdrawn

--__--__--

>rather the user read and understand the whole thing first.  The newbie =
just
>wants it to work; he doesn't care how, how well, or why right now because
>he'll read the docs and tweak his setup later (maybe).  Newbies don't =
want
>to read and understand, we want a sample and some quick pointers for =
common
>setups.  Once our firewall is running and everything still works, THEN =
we'll
>read.  It's kinda like those instructions that came with your kid's bike.

And here-in lies the problem.  Sure, people like the ones that represent a =
good
portion of this list will set something up and go back to tighten up the =
loopholes
after browsing the documentation.  However, it's the newbies who "just =
want
it to work" that are going to cause the most problems because they won't
go back an read the documentation.

You could give most of these people a firewall ruleset that allows =
everything
throught and as long as they get a "Shorewall Started [    OK   ]" they'll =
think
they have a secure system.

This is the same reason we have all these IIS server problems (aside from =
MS
not properly auditing their code).  You install a NT/2k server with IIS =
and it
automatically starts without much if any configuration needing to be done
by the user.  You now have a perfect target for code red or whatever else
comes along.  The same problem was seen with earlier versions of sendmail
that came defaulted to being an open relay.  People saw that sendmail =
started,
it worked for them, and except for the sysadmins who realized this was a =
problem,
nobody tweaked their settings.

As you can guess, I can see where Tom is coming from.  Before running =
anything
like this, one should have an idea of how it's all supposed to work and =
hopefully
have an idea of how to alter it.


------------------------------------------------------------------
Mark Hoover
District Network Engineer
Norfolk Public Schools
628-3450