[Gllug] Opinions on Smoothwall and other firewalls

Simon Stewart sms at lateral.net
Thu Oct 11 16:48:26 UTC 2001


On Thu, Oct 11, 2001 at 04:59:42PM +0100, tet at accucard.com wrote:
> 
> >and there's the "Invisible Firewall HOWTO" at
> >
> >http://www.openlysecure.org/openbsd/how-to/invisible_firewall.html
> 
> Note that despite the name, this isn't completely invisible. It still
> (AFAIK) decrements the TTL. As it should, too. Although some security
> "experts" will try and convince you that a *completely* invisible
> proxy/firewall/whatever is a good idea, they're almost invariably not.
> The TTL exists for a reason, and passing a packet without modifying it
> will bring everything to a grinding halt the first time you run into
> routing problems...

Some of the problems are caused by the fact that the firewalling
application has to avoid the kernel's IP stack:

"It should be noted, however, that most Unix kernels (and certainly
 the ones underlying the systems that ipfilter usually runs on) have
 far more efficient routing code than what exists in ipfilter, and
 this keyword should not be thought of as a way to improve the
 operating speed of your firewall, and should only be used in places
 where stealth is an issue."

(from the IPFilter HOWTO)

Out of curiousity, would you mind explaining the reasons why not
decrementing the TTL is a Bad Thing, because I just don't see it?
What am I missing?[1] Surely, no-one in their right mind would be using
a totally invisible firewall for anything but being a firewall?
There's a few mumbles about fixing network topology using IPFilter in
the HOWTO, which is why I mention it....

Cheers,

Simon

[1] No funny answers, thanks ;)

-- 
'Today I dialed a wrong number....The other side said, "Hello?" and I
said, "Hello, could I speak to Joey?" They said," Uh, I don't think
so...He's only two months old." I said, "I'll wait..."'
     Steven Wright

-- 
Gllug mailing list  -  Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug




More information about the GLLUG mailing list