Greg Kettmann wrote:
[...snip...}
> Another truly excellent site is
> http://linux-firewall-tools.com/ by Bob Ziegler. He literally wrote the book on
> Linux Firewalls. His site has links to the relevant HOW-TO's plus his own
> instructions. It also contains a tool to generate the IPCHAINS or IPFWADM scripts
> needed to start the firewall. There are other excellent sites and resources, as
> well, but I like this one. GGK
>
I could not disagree with this more. Rob Ziegler *DID* write a book, and you
may in fact like his utility. Other than that, I take issue with everything
else that you said. His book is BAD. It is 100% RedHat-scentric, which is
problem #1. Given that I was totally annoyed with what I DID read of the book
and never finished it, I won't comment any further on it. OK, I lied.... It
also doesn't deal with anything related to encryption. How can you talk about
firewalls and security and neglect to
mention encryption?!?
Now, on to his tool..... Sure, it works...Sort of. What it creates is a
completely bloated script with about 1000 rules that you don't need. Also,
when you have a default policy of DENY, you do not have to then go ahead and
specifically deny everything (including subnets that cannot be routed to begin
with). By putting this much garbage into an ipchains script, you increase the
chances of making a hole where there shouldn't be. Also, his instructions are
horrable. You are better off reading the actual Firewall-HOWTO. Not to mention
the fact that he completely ignores the fact that you may have to patch your
kernel in order to do certain things.
All in all, I find his tools, his writing, and his claims of expertise to be
insufficient, inadequate, and detrimental to network security. The argument
that I hear the most in his defence is "Well, it's good for beginners". My
answer to that is "*NO IT CERTAINLY IS NOT!!!*. It is NEVER good for a beginer
to learn the wrong way to do things, and it is never good for a beginner to
think that the wrong, inadequate, and insecure ways of one person are the
correct ways. That beginner then has a false sence of knowledge, and thay
begin to rely on these things rather than ever learn the correct ways. Not to
mention, when they come to the realization that what they know isn't good
enough, they have to start all over from the beginning. So, in reality, it is
*NOT* good for beginners.
Just my NSHO,
Kenny
--
Kenny Lussier
Systems Administrator
Mission Critical Linux
******************************
If at first you don't succeed,
destroy all evidence that you
tried
******************************
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
