Sandvine, Linux, Windows, BSD, and an opinion.
Now, I’ve always preferred BSD-style firewall configs. But I’ve never seen before such a painfully clear example of *why* I prefer them. If you’re at all familiar with how TCP/IP works, “add drop tcp from any to me 6883 tcpflags rst”, isn’t exactly brain surgery to understand. Now, does “-A INPUT -p tcp –dport 6883 –tcp-flags RST RST -j DROP” really add any relevant information so far as the action you’re trying to perform? Why is RST stated twice?
But really, that’s minor. What’s the real difference here? BSD firewalls use a Domain Specific Language, whereas Linux uses flags to an application. Either way has its pros and cons.
It’s a matter of taste, really. I prefer the one that doesn’t look like line noise, and doesn’t involve an extra process to get to use things like variables (as in the script for Ubuntu/etc…). What if I want to make 6883 a variable, holding a list of subnets? Well, the solution in the linked post was to wrap the rulesets in a shell script. Would iptables support, say, a list of subnets instead of a number as the value of that variable? Well first I’d have to read the documentation for iptables, and either way read up on a separate scripting language (Case 1: It does, and I only need to know how to set a variable in the script language. Case 2: it does not, and I need to also learn how to do a loop in the scripting language). Having a DSL for the rulesets, however, all 2 (or 3) steps above are covered within the same document, within the same section. Indeed, within the very same text. As it explains how to set a variable to multiple values, it can be inferred that rules will accept them, and that explicit looping is unnecessary. Speaking specifically of OpenBSD’s PF here, it’s simply the most elegant firewall system I’ve ever dealt with (and the only one I’d describe as “elegant”, for that matter).
Of course it could be argued that iptables doesn’t make you learn a new language, and that you can just use any scripting language you’re already familiar with (assuming you’re using a *nix because you like *nix, and not just because you hate Windows and can’t afford OSX, you probably know some script language or another). But then I’d say, look at the shear complexity of those flags… you’re still essentially learning a DSL anyway, and if you just really, really want to use your scripting language of choice? The ‘ipfw’ command is available to any OS using IPF as its firewall, and performs the same function as ‘ipfilter’ does for Linux’s firewall. And IPF has been ported to FreeBSD, NetBSD, OpenBSD, SunOS, HP/UX, OpenSolaris, Linux, QNX, OSX, Windows… being the default on at least the first two (maybe Solaris as well, I forget). Who didn’t have to learn what, now?
As an aside, the fact that there’s two configs for what is at its core the same OS, and one script for two entirely different OS’s (and all the others IPF supports, at that) just seems hilariously ironic to me. I would assume that the ipfilter script for Ubuntu/etc… would work on RedHat &co as well, but I’m still laughing.
4 Comments »