From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: documentation@lists.ipfire.org Subject: Re: IPS Rule selection page Date: Mon, 10 Jun 2019 20:09:25 +0100 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2229970732825935733==" List-Id: --===============2229970732825935733== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi dnl, Thanks for working on this. > On 10 Jun 2019, at 06:29, dnl wrote: >=20 > Hi all, >=20 > I recently spent some time totally rewriting and fleshing-out the IPS rule = selection wiki page: https://wiki.ipfire.org/configuration/firewall/ips/rule-= selection. >=20 > The iterative approach to choosing IPS rules is a difficult subject to put = in to words succinctly and I feel the page has become very long and wordy. I agree with that approach and I think you have a good start there, but the p= age is indeed way too long. I think this because you are giving (almost too many) examples. You mention H= eartbleed which is very specific and entirely irrelevant. We can assume that = people know what a vulnerability is. If not, people should not be managing th= eir own IPS. Then, you are adding those boxes. The new wiki won=E2=80=99t support those an= y more. They stop the flow in reading and we have a pages where apparently ev= erything seems to be a super important information. That makes nothing highli= ghted at all. Then you copy a lot of content. For example what should be enabled in the ET = ruleset. I had that at the bottom of the page. Not very much in-depth, but if= you want to have more detail, I think it is best to make an extra page where= we explain the individual rulesets. Maybe there are some resources out there= on the internet that we can link? Also, please don=E2=80=99t use lists to separate paragraphs. > I'm aware that some people reading the English documentation won't have En= glish as their first language, so I'd appreciate any feedback you have. The English is absolutely fine. I do not think that it is very advanced nor v= ery simple language. > Contrary to that, I feel that the page would be easier to understand if we = had more good examples for readers. I would prefer to try to shorten the page again and move examples onto a sepa= rate page. I think it makes sense to give some advice based on where the IPS is deploy: = Basically a list of DOs and DONTs for people who have IPFire in a data centre= , those who have them at home and so on. A headline for each? How does that s= ound? That would save you a lot of space to not explain the scenario again. > I've briefly communicated with TimF and he mentioned the flowbits bug/limit= ations at the moment (bugs like 12086 and 12078). If these bugs cannot be fi= xed soon or easily could someone with a better understanding come up with a s= et of work-around steps we could write in a notice somewhere in the IPS docum= entation? Those will be fixed in Core Update 133. That will be available for testing th= is week. I hope we have this out faster then we can update the documentation = :) Then, there is a section where you say: If CPU usage is very high for a long = period of time you should try to identify rules which are less likely to be i= mportant on your network and disable those rules. Sustained high CPU usage wi= ll impact the performance of IPFire and slow down internet access. The answer to that is to buy better hardware. Do not compromise on security. = Loads of people have too small hardware because they wanted something cheap a= nd will not be able to pass enough traffic through. So, all in all I think you have many very good thoughts in there. But I agree= that the page is way too long. It needs to be split (see my suggestion above= ) and I think the content that is there can be made a little bit shorter. We = can assume enough knowledge of the reader to get basic concepts. The example = that you won=E2=80=99t need BSD rules when you don=E2=80=99t have BSD systems= on your network can be half a sentence. People should be able to get a hint. Otherwise we might run into people not reading this at all and therefore miss= ing basic principles when configuring this. Who reads a page of text these da= ys? -Michael >=20 >=20 >=20 > Thank you, >=20 > dnl >=20 >=20 >=20 > _______________________________________________ > Documentation mailing list > Documentation(a)lists.ipfire.org > https://lists.ipfire.org/mailman/listinfo/documentation --===============2229970732825935733==--