|
||||||||
Hi Dana, On Tue, 2004-03-16 at 11:55, Dana Spiegel wrote: > On Mar 15, 2004, at 6:57 PM, Hilton Travis wrote: > > > Hi Mitch, > > > > On Tue, 2004-03-16 at 09:33, Mitch (WebCob) wrote: > >> Just a thought... > >> > >>>> Can be a bit difficult for all those hot-spot users that will > >>> be using the > >>>> network, no? :) > >>> > >>> Quite possibly, but I'd rather not have such a feature on a firewall > >>> - > >>> its use would be limited to only those few people in that situation, > >>> and > >>> would introduce another possible point of vulnerability for all > >>> users. > >>> I still think that an Internet, web server, or other would be more > >>> appropriate than some popup on the *firewall*. > >>> > >> > >> In a time when there are more packaging managers than programmers (or > >> so it > >> seems) Why can't we stop bickering about what a firewall is, and start > >> enabling people to do expansions they need. > >> > >> As monowall is based on FreeBSD, does it support the standard package > >> manager functions? > >> > >> If so, then instead of saying "NO" to features each of us may > >> personally > >> find useless, and turning away those portions of a potentially larger > >> user > >> community, why don't we encourage or support organized extension of > >> the > >> existing platform? > > > > Because a firewall is a security device. Plain and simple. It is not > > a > > web server, nor a file server, nor an ftp server, nor does it do your > > ironing, scrub the bathroom tiles nor wash the oil stains off your > > garage floor. The more fluff you add, the less secure the firewall > > becomes, and the less able to do its real job - protecting your > > network. > > > >> What is common and in yours or my best interest today MAY change > >> tomorrow - > >> I'd rather have one big project with lots of support and > >> extendability as > >> needed than have hundreds of splinter projects so no one knows which > >> supports what. > > > > Personally, I'd rather have a secure firewall. > > > > Manuel, on his monowall website, does have a "hacker's guide" that will > > allow you to create a m0n0wall image to suit your needs. Sure, this > > may > > create splinter projects, if you and others do this - but then people > > can choose the added fluff they need. I'd think that most people would > > choose the "no fluff" version. If a particular piece of added fluff > > becomes popular, and fits within the ethos of m0n0wall, then I'm sure > > Manuel would consider adding it to his base images. > > > > I'd still rather have a secure firewall and use other devices to butter > > my bread. > > > To be honest, this is a stupid argument to be having. Its quite easy, > should we decide to do so, to add an on/off button for a particular > feature (defaulting to off). Then you would have your secure firewall, > while others would have their firewall + SOHO router. It really is far from that simple. I cannot see that installing a telnet server, ftp server, samba server, quake server, ident server, finger server, a coy of nmap, nessus, a c compiler, kismet, smokeping or nocatsplash and leaving them almost all disabled is a good idea for a firewall. And before you start saying you didn't ask for a telnet or Samba server, others have asked for them. Admittedly, nocatsplash is probably more appropriate than a lot of other things, and if Manuel sees this as keeping to the m0n0wall ethos and implements it, then I'll learn to live with it. However I still don't like the idea of every application under the sun being suggested for a firewall. A firewall is a firewall. I'd prefer, were it *my* network, to have the firewall connect to a server that can run squid, IDS, nocatsplash and anything else appropriate, and this be used as the gateway for the LAN/WiFi users. > To be clear, in a sense what is being proposed by Mitch, and has been > proposed and supported by me and a few others in the past, can be > argued to be "appropriate" for your definition of what m0n0wall should > include, since enabling secure routing of packets is a function of a > "captive portal". Actually, as I suggested above, having Internet -> m0n0wall -> internal server -> LAN/WiFi network with the internal server running nocatsplash is inherently more secure and appropriate for the scenario you are describing. The firewall is the security device, and the proxy/web server/nocatsplash/IDS/mail/whatever box provides the other (non-firewall specific) networking functionality. > To be sure, someone other than Manuel should endeavor to build this > functionality, since he is probably (and understandably) busy with more > pressing matters (m0n0 or otherwise). And then Manuel will need to incorporate it in the images he creates. > One of the greatest things about m0n0wall, and the reason why I use it > instead of a Linux box, is its ease of use and pleasant web interface. > Adding to this an ability to set up a captive portal (one that could be > enabled/disabled at the operator's will) would certainly increase the > marketability of the project and would invite more people to > participate in making it an even better system. Ease of use should not and cannot be equated with "ability to install anything that a user feels like without considering the other more appropriate options". Its just not sensible. > And to be honest, standing behind the excuse of "no because it will > compromise the security of the device" is only valid when it is a true > statement. The addition of a captive portal would in no way compromise > your firewall if you choose not to enable it, just like the ability to > use an 802.11b card in m0n0wall doesn't compromise your firewall if you > choose not to install it. OK. If this is an untrue statement - as you are saying it is - then prove it (properly) and I'll admit I was wrong. Installing a bucketload of code on a security device is just asking for trouble. Anyone with a security background will agree with this. > To everyone's benefit, I think that if someone is interested in > building this feature, we should support and encourage its creation, > and leave the nay-saying to a minimum. Same goes with those wanting Samba on the firewall? Or telnet? Where do we draw the line? All of those services - including nocatsplash - are more appropriate on an internal server than on a firewall. I suggest that encouraging insecure practices on a firewall distro is not something that we should encourage at all. - HiltonT > D a n a S p i e g e l > s o c i a b l e D E S I G N :: www.sociableDESIGN.com > 123 Bank Street, Suite 510, New York, NY 10014 > p +1 917 402 0422 :: e dana at sociableDESIGN dot com Sociable designs and socially responsible designs are not always the same thing. -- Regards, Hilton Travis Phone: +61-(0)7-3343-3889 Manager, Quark AudioVisual Phone: +61-(0)419-792-394 Quark Computers http://www.QuarkAV.com/ (Brisbane, Australia) http://www.QuarkAV.net/ Open Source Projects: http://www.ares-desktop.org/ http://www.mamboband.org/ Non Linear Video Editing Solutions & Digital Audio Workstations Network Administration, SmoothWall Firewalls, NOD32 AntiVirus Conference and Seminar AudioVisual Production and Recording War doesn't determine who is right. War determines who is left. |