(hello

‘world)

Sandvine, Linux, Windows, BSD, and an opinion.

So, Cat in the Red Hat has firewall rulesets for Linux and FreeBSD/Windows for ignoring Sandvine’s forged RST packets.

Now, I’ve always preferred BSD-style firewall configs. But I’ve never seen before such a painfully clear example of *why* I prefer them. If you’re at all familiar with how TCP/IP works, “add drop tcp from any to me 6883 tcpflags rst”, isn’t exactly brain surgery to understand. Now, does “-A INPUT -p tcp –dport 6883 –tcp-flags RST RST -j DROP” really add any relevant information so far as the action you’re trying to perform? Why is RST stated twice?

But really, that’s minor. What’s the real difference here? BSD firewalls use a Domain Specific Language, whereas Linux uses flags to an application. Either way has its pros and cons.

It’s a matter of taste, really. I prefer the one that doesn’t look like line noise, and doesn’t involve an extra process to get to use things like variables (as in the script for Ubuntu/etc…). What if I want to make 6883 a variable, holding a list of subnets? Well, the solution in the linked post was to wrap the rulesets in a shell script. Would iptables support, say, a list of subnets instead of a number as the value of that variable? Well first I’d have to read the documentation for iptables, and either way read up on a separate scripting language (Case 1: It does, and I only need to know how to set a variable in the script language. Case 2: it does not, and I need to also learn how to do a loop in the scripting language). Having a DSL for the rulesets, however, all 2 (or 3) steps above are covered within the same document, within the same section. Indeed, within the very same text. As it explains how to set a variable to multiple values, it can be inferred that rules will accept them, and that explicit looping is unnecessary. Speaking specifically of OpenBSD’s PF here, it’s simply the most elegant firewall system I’ve ever dealt with (and the only one I’d describe as “elegant”, for that matter).

Of course it could be argued that iptables doesn’t make you learn a new language, and that you can just use any scripting language you’re already familiar with (assuming you’re using a *nix because you like *nix, and not just because you hate Windows and can’t afford OSX, you probably know some script language or another). But then I’d say, look at the shear complexity of those flags… you’re still essentially learning a DSL anyway, and if you just really, really want to use your scripting language of choice? The ‘ipfw’ command is available to any OS using IPF as its firewall, and performs the same function as ‘ipfilter’ does for Linux’s firewall. And IPF has been ported to FreeBSD, NetBSD, OpenBSD, SunOS, HP/UX, OpenSolaris, Linux, QNX, OSX, Windows… being the default on at least the first two (maybe Solaris as well, I forget). Who didn’t have to learn what, now?

As an aside, the fact that there’s two configs for what is at its core the same OS, and one script for two entirely different OS’s (and all the others IPF supports, at that) just seems hilariously ironic to me. I would assume that the ipfilter script for Ubuntu/etc… would work on RedHat &co as well, but I’m still laughing.

[update] How odd. The IPTables/IPF postings in Cat in the Red Hat’s blog have disappeared. There’s a story on an IPTables-only version today on Slashdot though.

June 25, 2008 - Posted by | Annoyances, Malware, web

4 Comments »

  1. […] Prael wrote a blog post about Domain-Specific Languages used in firewall definition. He points to Cat in the Red Hat’s recipes for firewalls in Linux and in BSD (the Windows port of that). Now, I’ve always preferred BSD-style firewall configs. But I’ve never seen before such a painfully clear example of *why* I prefer them. If you’re at all familiar with how TCP/IP works, “add drop tcp from any to me 6883 tcpflags rst”, isn’t exactly brain surgery to understand. Now, does “-A INPUT -p tcp –dport 6883 –tcp-flags RST RST -j DROP” really add any relevant information so far as the action you’re trying to perform? Why is RST stated twice? […]

    Pingback by Expressive Firewall Domain-Specific Languages at Fragmental.tw | June 25, 2008 | Reply

  2. The same blog post (next day) shows a way to get around Comcast Sandvine using WIPFW using the syntax you mentioned in your blog.

    http://redhatcat.blogspot.com/2007/09/beating-sandvine-on-windows-with-wipfw.html

    Comment by Comcaster | June 29, 2008 | Reply

  3. Exactly the same syntax as I copy and pasted both examples from there, and linked to both versions in the very first sentence. Of course, any additional links to said article are more than welcome, as I feel this should be more common knowledge regardless of OS and filter syntax.

    I was half tempted to produce a version using OpenBSD’s PF as well, but something so short would be remarkably similar to the IPF version and I’m not sure whether OpenBSD’s PF has been ported further than the other BSD’s anyway.

    Of course if anyone winds up coming here for such, you probably meant to go to http://www.openbsd.org/faq/pf/ instead.😉

    Comment by prael | June 29, 2008 | Reply

  4. […] bit especially caught my attention, especially in light of another recent post: Q. But how can a non-programmer even read a program, let alone tell whether it is right? A. Forth […]

    Pingback by Scheme, Forth, and C « (hello | June 29, 2008 | Reply


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: