[ previous ] [ next ] [ threads ]
 From:  Hilton Travis <Hilton at QuarkAV dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Nocatsplash
 Date:  Tue, 16 Mar 2004 16:42:17 +1000
Hi Dana,

On Tue, 2004-03-16 at 11:55, Dana Spiegel wrote:

> On Mar 15, 2004, at 6:57 PM, Hilton Travis wrote:
> > Hi Mitch,
> >
> > On Tue, 2004-03-16 at 09:33, Mitch (WebCob) wrote:
> >> Just a thought...
> >>
> >>>> Can be a bit difficult for all those hot-spot users that will
> >>> be using the
> >>>> network, no? :)
> >>>
> >>> Quite possibly, but I'd rather not have such a feature on a firewall 
> >>> -
> >>> its use would be limited to only those few people in that situation, 
> >>> and
> >>> would introduce another possible point of vulnerability for all 
> >>> users.
> >>> I still think that an Internet, web server, or other would be more
> >>> appropriate than some popup on the *firewall*.
> >>>
> >>
> >> In a time when there are more packaging managers than programmers (or 
> >> so it
> >> seems) Why can't we stop bickering about what a firewall is, and start
> >> enabling people to do expansions they need.
> >>
> >> As monowall is based on FreeBSD, does it support the standard package
> >> manager functions?
> >>
> >> If so, then instead of saying "NO" to features each of us may 
> >> personally
> >> find useless, and turning away those portions of a potentially larger 
> >> user
> >> community, why don't we encourage or support organized extension of 
> >> the
> >> existing platform?
> >
> > Because a firewall is a security device.  Plain and simple.  It is not 
> > a
> > web server, nor a file server, nor an ftp server, nor does it do your
> > ironing, scrub the bathroom tiles nor wash the oil stains off your
> > garage floor.  The more fluff you add, the less secure the firewall
> > becomes, and the less able to do its real job - protecting your 
> > network.
> >
> >> What is common and in yours or my best interest today MAY change 
> >> tomorrow -
> >> I'd rather have one big project with lots of support and 
> >> extendability as
> >> needed than have hundreds of splinter projects so no one knows which
> >> supports what.
> >
> > Personally, I'd rather have a secure firewall.
> >
> > Manuel, on his monowall website, does have a "hacker's guide" that will
> > allow you to create a m0n0wall image to suit your needs.  Sure, this 
> > may
> > create splinter projects, if you and others do this - but then people
> > can choose the added fluff they need.  I'd think that most people would
> > choose the "no fluff" version.  If a particular piece of added fluff
> > becomes popular, and fits within the ethos of m0n0wall, then I'm sure
> > Manuel would consider adding it to his base images.
> >
> > I'd still rather have a secure firewall and use other devices to butter
> > my bread.
> > 
> To be honest, this is a stupid argument to be having. Its quite easy, 
> should we decide to do so, to add an on/off button for a particular 
> feature (defaulting to off). Then you would have your secure firewall, 
> while others would have their firewall + SOHO router.

It really is far from that simple.  I cannot see that installing a
telnet server, ftp server, samba server, quake server, ident server,
finger server, a coy of nmap, nessus, a c compiler, kismet, smokeping or
nocatsplash and leaving them almost all disabled is a good idea for a
firewall.  And before you start saying you didn't ask for a telnet or
Samba server, others have asked for them.

Admittedly, nocatsplash is probably more appropriate than a lot of other
things, and if Manuel sees this as keeping to the m0n0wall ethos and
implements it, then I'll learn to live with it.  However I still don't
like the idea of every application under the sun being suggested for a
firewall.  A firewall is a firewall.  I'd prefer, were it *my* network,
to have the firewall connect to a server that can run squid, IDS,
nocatsplash and anything else appropriate, and this be used as the
gateway for the LAN/WiFi users.

> To be clear, in a sense what is being proposed by Mitch, and has been 
> proposed and supported by me and a few others in the past, can be 
> argued to be "appropriate" for your definition of what m0n0wall should 
> include, since enabling secure routing of packets is a function of a 
> "captive portal".

Actually, as I suggested above, having Internet -> m0n0wall -> internal
server -> LAN/WiFi network with the internal server running nocatsplash
is inherently more secure and appropriate for the scenario you are
describing.  The firewall is the security device, and the proxy/web
server/nocatsplash/IDS/mail/whatever box provides the other
(non-firewall specific) networking functionality.

> To be sure, someone other than Manuel should endeavor to build this 
> functionality, since he is probably (and understandably) busy with more 
> pressing matters (m0n0 or otherwise).

And then Manuel will need to incorporate it in the images he creates.

> One of the greatest things about m0n0wall, and the reason why I use it 
> instead of a Linux box, is its ease of use and pleasant web interface. 
> Adding to this an ability to set up a captive portal (one that could be 
> enabled/disabled at the operator's will) would certainly increase the 
> marketability of the project and would invite more people to 
> participate in making it an even better system.

Ease of use should not and cannot be equated with "ability to install
anything that a user feels like without considering the other more
appropriate options".  Its just not sensible.

> And to be honest, standing behind the excuse of "no because it will 
> compromise the security of the device" is only valid when it is a true 
> statement. The addition of a captive portal would in no way compromise 
> your firewall if you choose not to enable it, just like the ability to 
> use an 802.11b card in m0n0wall doesn't compromise your firewall if you 
> choose not to install it.

OK.  If this is an untrue statement - as you are saying it is - then
prove it (properly) and I'll admit I was wrong.  Installing a bucketload
of code on a security device is just asking for trouble.  Anyone with a
security background will agree with this.

> To everyone's benefit, I think that if someone is interested in 
> building this feature, we should support and encourage its creation, 
> and leave the nay-saying to a minimum.

Same goes with those wanting Samba on the firewall?  Or telnet?  Where
do we draw the line?  All of those services - including nocatsplash -
are more appropriate on an internal server than on a firewall.  I
suggest that encouraging insecure practices on a firewall distro is not
something that we should encourage at all.

- HiltonT

> D a n a   S p i e g e l
> s o c i a b l e D E S I G N  ::  www.sociableDESIGN.com
> 123 Bank Street, Suite 510, New York, NY 10014
> p  +1 917 402 0422  ::  e  dana at sociableDESIGN dot com

Sociable designs and socially responsible designs are not always the
same thing.



Hilton Travis                   Phone: +61-(0)7-3343-3889
Manager, Quark AudioVisual      Phone: +61-(0)419-792-394
         Quark Computers         http://www.QuarkAV.com/
(Brisbane, Australia)            http://www.QuarkAV.net/

Open Source Projects:		http://www.ares-desktop.org/

Non Linear Video Editing Solutions & Digital Audio Workstations
 Network Administration, SmoothWall Firewalls, NOD32 AntiVirus
  Conference and Seminar AudioVisual Production and Recording

War doesn't determine who is right. War determines who is left.