> http://www.heise.de/ct/english/02/01/162/
> http://www.smoothwall.org/gpl/home/articles/team/20020109.ct-response.html
This article makes some really stupid points. Of course the DSL password
is stored in plain text - as the computer needs to read it to use the
modem it has to be able to access it. Any form of encryption would merely
be security through obscurity - you'd have to store the key somewhere on
the computer. This should be obvious - especially to anyone who's read
The Cathedral and the Bazaar; Remember "A security system is only as
secure as its secret. Beware of pseudo-secrets."
The issue about shadow passwords is also pretty stupid. Yes, your
webserver could possibly be tricked into reading the password files.
Since your webserver runs the web interface to port forwarding and other
key functions, and can forward ports from dirty to clean, mucking around
with the password file seems a little trivial when you already have the
power to do whatever you want. I'm not sure how the hacker can access the
websever anyhow - it's only listening on the clean network. As is the web
proxy.
I wouldn't attempt to dissuade you if you did believe that this is
basically insecure. The question is really how secure do you want your
firewall to be? If you want a web interface and the niceness that brings
you then you're going to have to pay the price of giving your web server
and other such processes the power to essentially be root. It's that
simple.
I think smoothwall is a good product, and makes sense to me. Last night I
determined that blue yonder's transproxy was not letting through any
connections to any web sites. As it's a transproxy I can't get round
this. I can however still run all my connections through someone else's
proxy. So...fill in a field in the web interface, turn on smoothwall's
own transproxy (squid) and voila, I'm routing all my traffic via some
other proxy. Yey...web interfaces rock.
Now...I can understand people's problems with some of the developers.
They have a bad reputation. It didn't help that last night when I
downloaded the smoothwall FAQ I found a thirty page lecture by
esr telling me basically not to bother anyone tacked onto the front. I've
used the smoothwall irc channel. I wasn't particularly impressed. They
were quite brusque, but in fairness they weren't rude to me.
My point is why should any of this matter. Let's keep the distinction
between the product and the developers in place, keep them separate.
Smoothwall is open source, and you haven't paid for any support - you
shouldn't expect any.
Ooops, another rant. Must have forgotten to take my own frog pills too.
Later.
Mark.
--
s'' Mark Fowler London.pm Bath.pm
http://www.twoshortplanks.com/ [EMAIL PROTECTED]
';use Term'Cap;$t=Tgetent Term'Cap{};print$t->Tputs(cl);for$w(split/ +/
){for(0..30){$|=print$t->Tgoto(cm,$_,$y)." $w";select$k,$k,$k,.03}$y+=2}
