[ previous ] [ next ] [ threads ]
 From:  "Jan Koetze" <jan at koetze dot net>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] m0n0wall feature request
 Date:  Sat, 31 Jan 2004 21:31:19 +0100

I don't agree with you :-) It's true that a firewall should be as simple as
possible but that does not mean
the lack of basic security features. A IDS (SNORT, Prelude, Demarc, etc.) is
great but it does not protect
you. It makes you aware of what is going on, nothing more and nothing less.
IMHO a IDS has nothing to do
with the discussion we had... sorry :-)

The goal is not to protect the firewall but to have a firewall that protects
the network(s) behind it. When
someone scans excessive ports in a short period of time they should be
blocked automaticly. And i don't care
if the blocking rule is for a user configurable period of time or till the
next reboot, as long as they are
blocked. Why? Well why should i trust someone who is fireing a nmap
myhost.com -p 21 22 23 80 443 -P 0 -sS
at me? Should i trust the services behind that ports and hope that they are
exploit free? Guess not. Should
i watch my IDS 24/7 and make blocking rules myself? Guess not. The firewall
should blocked them, that's where
this should happen. This is not a exotic feature but a MUST for a firewall.

The same goes for DoS attacks. The last time i put this issue in a feature
request people try to tell me that
you can't do anything about DoS attacks. In a way this is true but again
it's not the firewall or in this case
the bandwitdh we want to protect but the services behind it. Take a look at
a Apache DoS attack at http://seclists.org/lists/bugtraq/1997/Dec/0172.html
and tell me if you still think that this should'nt be 
blocked. True, the bandwith is gone. True, everything is unreachable. But
the services behind the firewall
are protected. This is a difficult matter since DoS attacks can/will come
from many many many different IP's
but that does'nt mean that we can't do anything about them. Right?

I feel real shit to write al this! Realy i am. I think that m0n0wall is a
great product and will be better
and better. I realize how much time such a project will take. Still, i think
it is important to post these


Jan Koetze

-----Original Message-----
From: Chad R. Larson [mailto:clarson at eldocomp dot com] 
Sent: Tuesday, January 27, 2004 11:58 PM
To: Jan Koetze; m0n0wall at lists dot m0n0 dot ch
Subject: RE: [m0n0wall] m0n0wall feature request

At 03:54 AM 1/23/2004, Jan Koetze wrote:
>option to stop portscans the way portsentry does or at least drop the 
>request for a few minutes when a portscan occurs. With the current 
>release people can scan forever.

I believe we had this discussion a while back.  Most "best practices" would
have an intrusion detection system (IDS) on a separate machine than your
firewall.  The firewall should be as simple as possible and be as reliable
as an anvil.

The more features, the more potential exploits...

Chad R. Larson (CRL22)    chad at eldocomp dot com
   Eldorado Computing, Inc.   602-604-3100
      5353 North 16th Street, Suite 400
        Phoenix, Arizona   85016-3228


This message is intended for the sole use of the individual and entity to
whom it is addressed, and may contain information that is privileged,
confidential and exempt from disclosure under applicable law. If you are not
the intended addressee, nor authorized to receive for the intended
addressee, you are hereby notified that you may not use, copy, disclose or
distribute to anyone the message or any information contained in the
message. If you have received this message in error, please immediately
advise the sender by reply email, and delete the message. Thank you.