On Tue, 2004-03-16 at 11:55, Dana Spiegel wrote:
> On Mar 15, 2004, at 6:57 PM, Hilton Travis wrote:
> > Hi Mitch,
> > On Tue, 2004-03-16 at 09:33, Mitch (WebCob) wrote:
> >> Just a thought...
> >>>> Can be a bit difficult for all those hot-spot users that will
> >>> be using the
> >>>> network, no? :)
> >>> Quite possibly, but I'd rather not have such a feature on a firewall
> >>> -
> >>> its use would be limited to only those few people in that situation,
> >>> and
> >>> would introduce another possible point of vulnerability for all
> >>> users.
> >>> I still think that an Internet, web server, or other would be more
> >>> appropriate than some popup on the *firewall*.
> >> In a time when there are more packaging managers than programmers (or
> >> so it
> >> seems) Why can't we stop bickering about what a firewall is, and start
> >> enabling people to do expansions they need.
> >> As monowall is based on FreeBSD, does it support the standard package
> >> manager functions?
> >> If so, then instead of saying "NO" to features each of us may
> >> personally
> >> find useless, and turning away those portions of a potentially larger
> >> user
> >> community, why don't we encourage or support organized extension of
> >> the
> >> existing platform?
> > Because a firewall is a security device. Plain and simple. It is not
> > a
> > web server, nor a file server, nor an ftp server, nor does it do your
> > ironing, scrub the bathroom tiles nor wash the oil stains off your
> > garage floor. The more fluff you add, the less secure the firewall
> > becomes, and the less able to do its real job - protecting your
> > network.
> >> What is common and in yours or my best interest today MAY change
> >> tomorrow -
> >> I'd rather have one big project with lots of support and
> >> extendability as
> >> needed than have hundreds of splinter projects so no one knows which
> >> supports what.
> > Personally, I'd rather have a secure firewall.
> > Manuel, on his monowall website, does have a "hacker's guide" that will
> > allow you to create a m0n0wall image to suit your needs. Sure, this
> > may
> > create splinter projects, if you and others do this - but then people
> > can choose the added fluff they need. I'd think that most people would
> > choose the "no fluff" version. If a particular piece of added fluff
> > becomes popular, and fits within the ethos of m0n0wall, then I'm sure
> > Manuel would consider adding it to his base images.
> > I'd still rather have a secure firewall and use other devices to butter
> > my bread.
> To be honest, this is a stupid argument to be having. Its quite easy,
> should we decide to do so, to add an on/off button for a particular
> feature (defaulting to off). Then you would have your secure firewall,
> while others would have their firewall + SOHO router.
It really is far from that simple. I cannot see that installing a
telnet server, ftp server, samba server, quake server, ident server,
finger server, a coy of nmap, nessus, a c compiler, kismet, smokeping or
nocatsplash and leaving them almost all disabled is a good idea for a
firewall. And before you start saying you didn't ask for a telnet or
Samba server, others have asked for them.
Admittedly, nocatsplash is probably more appropriate than a lot of other
things, and if Manuel sees this as keeping to the m0n0wall ethos and
implements it, then I'll learn to live with it. However I still don't
like the idea of every application under the sun being suggested for a
firewall. A firewall is a firewall. I'd prefer, were it *my* network,
to have the firewall connect to a server that can run squid, IDS,
nocatsplash and anything else appropriate, and this be used as the
gateway for the LAN/WiFi users.
> To be clear, in a sense what is being proposed by Mitch, and has been
> proposed and supported by me and a few others in the past, can be
> argued to be "appropriate" for your definition of what m0n0wall should
> include, since enabling secure routing of packets is a function of a
> "captive portal".
Actually, as I suggested above, having Internet -> m0n0wall -> internal
server -> LAN/WiFi network with the internal server running nocatsplash
is inherently more secure and appropriate for the scenario you are
describing. The firewall is the security device, and the proxy/web
server/nocatsplash/IDS/mail/whatever box provides the other
(non-firewall specific) networking functionality.
> To be sure, someone other than Manuel should endeavor to build this
> functionality, since he is probably (and understandably) busy with more
> pressing matters (m0n0 or otherwise).
And then Manuel will need to incorporate it in the images he creates.
> One of the greatest things about m0n0wall, and the reason why I use it
> instead of a Linux box, is its ease of use and pleasant web interface.
> Adding to this an ability to set up a captive portal (one that could be
> enabled/disabled at the operator's will) would certainly increase the
> marketability of the project and would invite more people to
> participate in making it an even better system.
Ease of use should not and cannot be equated with "ability to install
anything that a user feels like without considering the other more
appropriate options". Its just not sensible.
> And to be honest, standing behind the excuse of "no because it will
> compromise the security of the device" is only valid when it is a true
> statement. The addition of a captive portal would in no way compromise
> your firewall if you choose not to enable it, just like the ability to
> use an 802.11b card in m0n0wall doesn't compromise your firewall if you
> choose not to install it.
OK. If this is an untrue statement - as you are saying it is - then
prove it (properly) and I'll admit I was wrong. Installing a bucketload
of code on a security device is just asking for trouble. Anyone with a
security background will agree with this.
> To everyone's benefit, I think that if someone is interested in
> building this feature, we should support and encourage its creation,
> and leave the nay-saying to a minimum.
Same goes with those wanting Samba on the firewall? Or telnet? Where
do we draw the line? All of those services - including nocatsplash -
are more appropriate on an internal server than on a firewall. I
suggest that encouraging insecure practices on a firewall distro is not
something that we should encourage at all.
> D a n a S p i e g e l
> s o c i a b l e D E S I G N :: www.sociableDESIGN.com
> 123 Bank Street, Suite 510, New York, NY 10014
> p +1 917 402 0422 :: e dana at sociableDESIGN dot com
Sociable designs and socially responsible designs are not always the
Hilton Travis Phone: +61-(0)7-3343-3889
Manager, Quark AudioVisual Phone: +61-(0)419-792-394
Quark Computers http://www.QuarkAV.com/
(Brisbane, Australia) http://www.QuarkAV.net/
Open Source Projects: http://www.ares-desktop.org/
Non Linear Video Editing Solutions & Digital Audio Workstations
Network Administration, SmoothWall Firewalls, NOD32 AntiVirus
Conference and Seminar AudioVisual Production and Recording
War doesn't determine who is right. War determines who is left.