Time for a new FWTK?

[chuck yerkes <Chuck () yerkes com>]

It is claimed, but unverified, that Craig Brozefsky wrote:
> On Sun, 23 Nov 1997, Marcus J. Ranum wrote:
> > on my box, you shouldn't need the man pages. If you do,
> > you're not stud enough, ipso facto.
>
> Ok stud, which vowels are not ls command line arguments.  Tell me that 
> without a man page 8)

    oscar 131 % for vowel in a A e E i I o O u U ; do
    for>  ls -$vowel >/dev/null || echo $vowel is bad
    for>  done
    oscar 134 %

Er, none?  realistically, I never need to answer that query; I
need to answer, "what is the argument that shows it by mod-time?"
- but actually, since I have the man pages on its internal,
unstripped brother that I do all my compiles and tests on, I don't
have that problem.  Surely your firewall is not the only one of
that architecture around?

> I went thru something like this with a Debian Linux box a few months 
> ago.  I find their distribution simple enough that I could easily strip 
> it down to all but the neccesities, and remove all the setuid binaries.  
> Granted it was then no longer a real multi-user unix, but what the hell.  
Well, that's the goal, in'it?

> The Debian package system is helpful because you can really easily 
> add/subtract things from the system, and it will preserve your various 
> configurations along the way.  To be honest tho I still found that Linux 
> and the tools I could use on it did not give me as much flexibility in 
> the implementation of my desired security policy.  It wouldn't take that 
> much work to whip up some better policy rules for the FWTK, or even to 
> rewrite large portions of it, considering that much of it is kinda buggy 
> (ie. http-gw rewriting javascript hrefs and breaking the funcs), but 
> seems like noone has done that yet.  Are their any initiatives for 
> rewriting, or developing an entirely new firewall toolkit for Linux and 
> other free BSDs?

Hey, Marcus, want to do the FWTK/DEC SEAL stuff AGAIN under GPL or
the BSD license?  Call it MRTK4FW (you figure it out) and get your
net-immortality.  I'll buy coffee....

At this point, I'd rather that WE patch the fwtk.  It's a fine proxy
set, a set of tools to help make a firewall.  I just see to many
people putting it on a machine, doing nothing else and calling it a
firewall.  It came out at a time when people were writing their own
or not realizing that they needed firewalls (didn't before).  It came
out, generously, for free and filled a need.  Still does, mostly.

Really, though, I think the TIS FWTK is a good starting point for
proxies- esp for the tn-gw and ftp-gw.  http-gw is hard, because the
protocol is so flexible and now carries SO much.  Much of the
security should be back on the client (like "only run Java or
Live^H^H^H^HJavaScript coming from these networks," at a minimum)

But it's a toolkit and it was put up free by a company trying to
compete in a market full of charlatans with glossies and slick
salesweasels that say that whatever the client wants can be done
securely.  I've cleaned up after enough of them.

I'm willing to buy Gauntlet if I have a client that needs a full,
supported firewall - it's got a better http-gw that the fwtk and the
GUI and scripts and support that clients like.

chuck