The other reason why I've wound up not interested in firewall managers

November 7, 2016

In a comment on my previous entry on not using firewall managers, Durval Menezes mentioned:

The real problem IMHO with "magical" solutions is when the "magic" suddenly stops working (specially when it falls in some subtle, hard to detect way) and, as it made it "easy" to start with, you have no control nor/nand internal knowledge of it to troubleshoot (or worse, even detect that it has failed in the first place).

Now that it's been brought up, I have to admit that this is a good part of what's quietly influenced my thinking too. On Linux, firewall management systems like FireHOL and Shorewall aren't self-contained systems; instead they're all eventually using iptables (or someday nftables), possibly plus routing things (including policy based routing for some of them).

I'm a sysadmin. I know that someday the magic is going to fail and I'm going to have to go down in the guts of the actual generated iptables rules and so on to figure out just why things aren't working. If I'm going to eventually need to understand the iptables rules, well, there is certainly a part of me that feels I might as well cut to the chase and understand them from the start. The other issue is that I expect automatically generated rules to be harder to understand than hand-written ones, because a decent rules generator ought to be able to pull off any number of optimization tricks that no sensible human would use when hand-writing rules (and these optimizations are undoubtedly great when things work well).

As a side note, what this suggests is that (Linux) firewall managers should ideally come with debugging tools, much like compilers for languages generally have them. In both cases you wind up with symptoms in low level things (your program crashes, your firewall doesn't seem to be working right) and you want to go from the low level bits back to the high level source and concepts involved at the time. Imagine the use of being able to find out 'this connection was blocked because of this high level rule you set'.

(Of course I don't know if Linux's networking stack is set up so it's even possible to trace packet firewall decisions in the way you'd really want in order to do this. I think there's some new logging stuff, but I haven't looked into it since my last attempt failed. I should, though; being able to log and/or trace firewall activity is important no matter how I wind up creating my firewall rules.)

Written on 07 November 2016.
« Admitting that I have have a non-simple firewall setup
Why we have multiple wireless networks around here »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Mon Nov 7 00:04:46 2016
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.