[EMAIL PROTECTED] wrote: > I noticed Herr Kirchdoerfer's response and have an entirely (maybe > unfounded) reason for not migrating to 4.x.
What you write below looks like a justification for not using Shorewall-perl. Please do not confuse Shorewall 4.x and Shorewall-perl. While Shorewall-perl is an option in Shorewall 4.x, you don't need to install it and you don't need to use it. > First off, I love the > capabilities, the support, even the sporadic scoldings (which I can say > in my case at lease, deserved). To my knowledge, a hack like myself has > NOT been compromised since starting to run Shorewall. > > But, therein lies the rub. I happen to be using SuSE, and older (now > unsupported) distro. But, what little mentoing I have received, is to > never leave the tools for your "desturction" on the firewall box. So > with SuSE's YaST, I have to meticulously delete packages I don't want, > remove X, etc., etc., when I install. So when I (was able to) update, I > relied on the SuSE YaST tool to update the kernel, and in keeping with > leave tools/packages off, have to rely then on the binary distribution > because I don't even install a compiler on the Shorewall box. > > So this puts me at a disadvantage from some tools, such as Perl, which > has a great library of modules. But, there's the dilemma, and, maybe my > ill conceived view, of my security -- I do NOT have the tools to make it > easier to be compromised. So from that perspective, NOT having Perl > seems to be more secure. A buddy of mine says that if "they're gonna > getcha, they'll getcha" but I like to think otherwise with great tools, > such as Shorewall. But, on the other hand, I don't want to leave the > gun sitting out for the granchildren to play with, to use a stupid analogy. > > Comments, thoughts ? When I rebuild the firewall, do with a Perl > installation as well ? If you are that paranoid about your firewall, install Shorewall-perl on a system behind the firewall and run Shorewall-lite on the firewall system. I personally think that a well-constructed firewall box (no externalized services) is the hardest system in your network to compromise. So why would an attacker go after the hardest target when there are much softer ones to be had. My $.02US -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
