Netfilter GUI

Whit Blauvelt whit@transpect.com
Fri, 14 Dec 2001 23:39:22 -0500 

Simon,

If I were you I would caution people that the scripts Guarddog generates are
"not ready for prime time." After getting stuff to work reasonably okay on a
test machine on the local network, I tried exporting from Guarddog to a real
firewall/router (which of course I haven't installed a GUI on - it's not a
workstation). The script had major problems. For one thing, it does not look
for iptables in the place where iptables installs by default if you build it
from the tar: /usr/local/sbin/. After correcting that, when I check the
rules (iptables -L), every other rule is for the broadcast address. Is your
script confused because there are multiple IPs on the external interface? It
seemed to get all those, but if a rule is needed for the broadcast address
at all (not sure why - yours is the only example I've seen of writing rules
for it), it shouldn't repeat after every IP that references it.

Then I started getting messages to console when chains were dropped or
aborted, which is quite ugly when I'm trying to work - they should just be
going in the logs by default. This is a really, really serious problem for
anyone doing anything at the console.

Now Guidedog of course is in it's earliest version and you warn not to
depend on, wants to see /sbin/sysctl - which doesn't happen to be on the Red
Hat 6.0-based (but much upgraded since) box I'm trying to test your stuff
out on. Replacing those lines with the standard "echo 0 >
/proc/sys/net/ipv4/ip_forward", and then "echo 1...", it does not provide
successful masqing when run after Guarddog. Of course from comments on the
netfilter list, it looks like iptables may have major masquerading bugs
anyhow ... can't say from my own experience. Separating masquerading from
the firewall seems conceptually suspect anyhow - I know Rusty's in favor of
the separation too, but most firewalls in real life are there just because
they masquerade or otherwise NAT a local net.

This isn't to slam you - I think you're going in a good and valuable
direction with this stuff, and have a solid future in interface design. But
if you're going to be telling people that Guarddog is currently usable, you
ought to get hold of a big hard drive and install a few versions of Red Hat
and Debian and SuSe and maybe even Slackware and test that it works on each,
or else be straightforward about asking for alpha testers, rather than
saying you've already got something that fulfills its promise already. 

It will be truly great stuff when it does.

Respectfully,
Whit