Having been a sysadmin for several years now, both as my "real job" and in my Copious Free Time, I've had occasion to bang heads with the odd firewalling system or two - even to the extent that I partially built one myself. Now, I'm not a firewall expert by any means, but there's a fair amount you can do without knowing anything about TCP sequence numbers, IP tunnelling, source routed packets, yadda yadda yadda.
Problem is, some companies want to sell firewalls to people who don't know anything about firewalls. In fact, they want to sell firewalls to people who don't even know what a firewall is or can't figure out why they'd possibly need one.
Thus, the pre-packaged firewall. Take, for example, the *BSD source tree, patch up all the known holes, look for a few more, add a spiffy console application to replace getty/login, write a manual, put it all in a box, and sell it. Brilliant.
I have to look after one of these products. In the interests of fairness and please-don't-sue-me, I'm not mentioning the name of the company responsible, but you can probably find out if you've got half a clue.
The firewall is pretty much as described above - a *BSD-based system with no login access bar the spiffy console and an assortment of remote-access applets.
Uh-oh. Applets.
Java 1.0. Thou shalt not even THINK of running a Java 1.1 browser with this lot. Thou shalt have a hell of a time configuring this on a Mac, since Java 1.0 and Mac aren't exactly the most comfortable of bedfellows. Thou shalt persevere through the crashes on Win95 - and there will be crashes; thou shalt also persevere through the incessant slow downloads and slug-like performance. Thou shalt, in summation, behave as if someone forced you to configure the firewall wearing mittens and 90%-opaque goggles.
Oh, and did I mention that it crashes the browser on my desktop box - a Linux box - forcing me to use the less-than-usable Mac instead? Nothing against the Mac, mind, just that the Java engine sucks large rocks through a capillary tube.
That's all right, you say, just use the spiffy console thing instead.
Er, no. Nothing useful can be done from the "spiffy" console, except adding users, backups, and patches. Oh, and viewing logs. And hey, you can restart the nameserver. Whoopee! You want to actually configure the nameserver? Back to Java for you, my lad.
In addition to this, there's all the things you'd like to do but can't, because, well, the manufacturers didn't think you'd need to.
Hosed your arp cache through clashing IP addresses? I did. I waited for it to clear, I searched for a way to clear it, and eventually I had to reboot the firewall because we couldn't afford the downtime on the machine it couldn't relocate. Oh, and the reboot takes a good 5-10 minutes because it does an enforced fsck every time. AND the 'reboot' menu option doesn't work; the thing syncs the disks, then stops dead. Manual reset.
Got junk in your mail queue that you'd like to clear out with judicous use of rm? Uh, sorry. You can wipe the whole queue if you like, or you can just let the stuff filter through to your internal mail system where you can deal with it there. This particular feature managed to cripple our email for two days while the spool emptied; at one point, the firewall decided it had sent enough inbound mail and just held onto what it had left, and refused to restart the mailserver using the neat-o Java console. Reboot time again.
How about that DNS then? Well, you can dump a domain into a file and ftp it back to the real world for editing, but you can't, no way nohow, dump that file back into the DNS. No, you have to set up a duplicate DNS server on a real machine, then tell the firewall to inhale the DNS details from the duplicate. Lose lose lose.
Then there's the memory leaks, the spurious "cannot mate fd 0 to fd 3" errors, the without-warning, without-error stalls... Oh, and look. Someone's found a DoS or an exploit for BSD that affects all BSD derivatives. Oh look, FreeBSD has been patched. NetBSD has been patched. Honest Bob's BSD has been patched. Hello, can we have a patch for "secure" BSD? Please?
So recently we got a press release. It seems they've plugged a lot of the leaks. They've also tossed out the Java in favour of a Windows-native control system. Hel-lo? You're telling me that in my little nest of Macs and Unix boxen, in order to control my Unix-based firewall, I am going to have to add a Windows box? Are you on drugs or what?
Me, I'm going shopping for a firewall. Heck, maybe I'll go back to building my own.
Addendum: It's now about two months since I wrote this. We dismantled the firewall and replaced it with another. But before we got the new firewall, we got an upgrade for the old one. And guess what, it wouldn't fly on the exact same hardware as the old firewall. Couldn't find the CD-ROM, no way no how. The instructions said, "insert the diagnostic disk". The diagnostic disk basically gives you a dump of what's hanging off the machine - including a CD-ROM that the installer couldn't find.
And I'm still trying to get off their stupid mailing list.
Waider | the fact that everything I
stated above could be incorrect is of no interest to me. -- Patrick Timmins |