Steve Suehring
Autor de JavaScript Step by Step
Sobre El Autor
Steve Suehring is an Assistant Professor of Computing and New Media Technologies at University of Wisconsin - Stevens Point. Steve has worked as an editor for LinuxWorld Magazine, and has written several books on a variety of technologies, including JavaScript, Linux security, Windows Server mostrar más certifications, Perl, and others. Steve has worked at a large Internet provider in both systems engineering and security roles, and has also worked at a Fortune 1000 company helping to providing architectural direction on numerous initiatives. mostrar menos
Obras de Steve Suehring
MCSA/MCSE: Windows Server 2003 Network Infrastructure Implementation, Management, and Maintenance Study Guide: Exam… (2006) 7 copias
LPIC-1 Linux Professional Institute Certification Practice Tests: Exam 101-500 and Exam 102-500 (2019) 2 copias
Etiquetado
Conocimiento común
- Género
- male
Miembros
Reseñas
También Puede Gustarte
Estadísticas
- Obras
- 19
- Miembros
- 229
- Popularidad
- #98,340
- Valoración
- 3.9
- Reseñas
- 2
- ISBNs
- 55
- Idiomas
- 4
The book then follows with an example for a simple home firewall, discusses rule optimization and gives some more advanced scenarios for a gateway, with several possibilities for how to organize a DMZ, while covering packet forwarding. These chapters are generally good but not as good as the first ones. There's a chapter on NAT, that I though was very good. Understanding when the source and destination addresses get changed and how this relates to the other chains can be tricky and the book really nails it. The final chapter directly related to firewalls, about debugging, is a mixed bag. I found it unnecessarily extensive, going on and on about basic and obvious things, such as explaining how to read a listing of the firewall rules.
The last chapters are related to other security technologies such as intrusion detection, monitoring, filesystem integrity and kernel enhancements. While some parts of it do provide useful information they feel like rushed filler material, especially considering that more advanced iptables related topics are neglected. As an example, in the last chapter the author says that first he will present a recipe style introduction to Grsec and then explain some features in more depth. The more in depth explanations are nowhere to be seen, however. There a couple more places where similar glitches are found.
Two important things related to packet filtering and iptables are missing in the book. There's no coverage of advanced logging. The ULOG target is just mentioned and a tool like syslog-ng that would allow you to use the LOG target and still filter logging into different files is not even mentioned. More importantly, connection state tracking, the part that allows netfilter to call itself a stateful firewall, doesn't have adequate coverage. The author says that even using a stateful firewall, rules that cover the case of the state tables getting full are still needed. I disagree with this, especially in the case of a dedicated firewall machine, where you have a lot of memory to spare and can allocate a lot of it for state tracking. Keeping a simple ruleset is extremely important and being able to rely on state tracking really helps in achieving that. How the state tracking works is superficially explained. Things such as seeing how many entries are being used or its internal state are missing. I don't know if this is because at the time the book was written there was less kernel support to get to this sort of information or if the author just missed them, but I consider them important nonetheless. If they were not an option when the book was written then it should at least be mentioned that such things are not possible. I had to do some mailing list research to figure out how to get to them. The book suffers from a problem that afflicts so many technical books - it wants to be everything to everyone.
However, I don't know of a better book related to netfilter and would recommend this one to someone that wants to learn more about it. I think it should be complemented with the "iptables tutorial" by Oskar Andreasson and with some research looking at example scripts that can be found online and reading mailing lists.… (más)