Firewalling 90% complete & tested, questions about writing tone

Kelly and Jennifer Anderson kjanderson at comcast.net
Thu Apr 29 11:27:37 PDT 2004


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dagmar d'Surreal wrote:
|
| Not intending to be too experienced, but are you attempting to filter
| and manage your system activity logs with tcl or bash?  Perl was
| practically designed for system administration functions.

Yes, that is true.  That is almost exactly the reason why Perl doesn't
belong on a firewall.  Tools that work great for system admin purposes
work extremely well in exploiting systems.  My current firewall config
is down to 40 Megs.  It snorts to a database on another machine.

~  It's also a
| lot easier to deal with parsing lists in perl than it is in bash, which
| is why I was considering it.  I didn't want to use it because it would
| merely introduce another dependency (regardless of whether or not perl
| is sure to be installed already) to the init scripts, as well as more
| subshells that would just slow things down.

Yes, dependancies are exactly what you want to eliminate on a firewall.
~ A firewall is a single purpose machine.  The less that is installed on
the machine the better.  Less to exploit, less to monitor, less to fix.
~ Logs can easily be sent to another machine that can do any darn thing a
person wants in any language they want.

I know how Perlies like their language! ;)  Any excuse to write
something in Perl.  I use it when necessary.

In any case I wish you success with your scripts, I've been tuning mine
for over 2 years.

Kelly Anderson
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFAkUkZEjhXNjo4omcRArl5AJsGQopwG7YXYELJNP6YhkmA5osA9wCeIm/S
Z1ErKBQK/u+aWGop4BGj1lA=
=3o2Z
-----END PGP SIGNATURE-----



More information about the hlfs-dev mailing list