Firewall Wizards mailing list archives
Time for a new FWTK?
From: chuck yerkes <Chuck () yerkes com>
Date: Sun, 23 Nov 1997 23:48:58 -0500 (EST)
It is claimed, but unverified, that Craig Brozefsky wrote:
On Sun, 23 Nov 1997, Marcus J. Ranum wrote:on my box, you shouldn't need the man pages. If you do, you're not stud enough, ipso facto.Ok stud, which vowels are not ls command line arguments. Tell me that without a man page 8)
oscar 131 % for vowel in a A e E i I o O u U ; do for> ls -$vowel >/dev/null || echo $vowel is bad for> done oscar 134 % Er, none? realistically, I never need to answer that query; I need to answer, "what is the argument that shows it by mod-time?" - but actually, since I have the man pages on its internal, unstripped brother that I do all my compiles and tests on, I don't have that problem. Surely your firewall is not the only one of that architecture around?
I went thru something like this with a Debian Linux box a few months ago. I find their distribution simple enough that I could easily strip it down to all but the neccesities, and remove all the setuid binaries. Granted it was then no longer a real multi-user unix, but what the hell.
Well, that's the goal, in'it?
The Debian package system is helpful because you can really easily add/subtract things from the system, and it will preserve your various configurations along the way. To be honest tho I still found that Linux and the tools I could use on it did not give me as much flexibility in the implementation of my desired security policy. It wouldn't take that much work to whip up some better policy rules for the FWTK, or even to rewrite large portions of it, considering that much of it is kinda buggy (ie. http-gw rewriting javascript hrefs and breaking the funcs), but seems like noone has done that yet. Are their any initiatives for rewriting, or developing an entirely new firewall toolkit for Linux and other free BSDs?
Hey, Marcus, want to do the FWTK/DEC SEAL stuff AGAIN under GPL or the BSD license? Call it MRTK4FW (you figure it out) and get your net-immortality. I'll buy coffee.... At this point, I'd rather that WE patch the fwtk. It's a fine proxy set, a set of tools to help make a firewall. I just see to many people putting it on a machine, doing nothing else and calling it a firewall. It came out at a time when people were writing their own or not realizing that they needed firewalls (didn't before). It came out, generously, for free and filled a need. Still does, mostly. Really, though, I think the TIS FWTK is a good starting point for proxies- esp for the tn-gw and ftp-gw. http-gw is hard, because the protocol is so flexible and now carries SO much. Much of the security should be back on the client (like "only run Java or Live^H^H^H^HJavaScript coming from these networks," at a minimum) But it's a toolkit and it was put up free by a company trying to compete in a market full of charlatans with glossies and slick salesweasels that say that whatever the client wants can be done securely. I've cleaned up after enough of them. I'm willing to buy Gauntlet if I have a client that needs a full, supported firewall - it's got a better http-gw that the fwtk and the GUI and scripts and support that clients like. chuck
Current thread:
- Re: Hardening, (was Re: chroot useful?) Jim Raykowski (Nov 21)
- Re: Hardening, (was Re: chroot useful?) Marcus J. Ranum (Nov 23)
- Re: Hardening, (was Re: chroot useful?) Darren Reed (Nov 23)
- Re: Hardening, (was Re: chroot useful?) Marcus J. Ranum (Nov 23)
- Re: Hardening, (was Re: chroot useful?) Craig Brozefsky (Nov 23)
- Re: Hardening, (was Re: chroot useful?) Petri Virkkula (Nov 23)
- Re: Hardening, (was Re: chroot useful?) Craig Brozefsky (Nov 24)
- Test Systems - was Re: Hardening John Lines (Nov 24)
- Time for a new FWTK? chuck yerkes (Nov 24)
- Re: Time for a new FWTK? Marcus J. Ranum (Nov 24)
- Re: Time for a new FWTK? -= ArkanoiD =- (Nov 25)
- Re: Time for a new FWTK? Ge' Weijers (Nov 25)
- Re: Hardening, (was Re: chroot useful?) Darren Reed (Nov 23)
- Re: Time for a new FWTK? Ted Doty (Nov 25)
- Re: Hardening, (was Re: chroot useful?) Marcus J. Ranum (Nov 23)
- Re: Hardening, (was Re: chroot useful?) Darren Reed (Nov 24)