Hi dnl,
Thanks for working on this.
On 10 Jun 2019, at 06:29, dnl dnlipfire@runbox.co wrote:
Hi all,
I recently spent some time totally rewriting and fleshing-out the IPS rule selection wiki page: https://wiki.ipfire.org/configuration/firewall/ips/rule-selection.
The iterative approach to choosing IPS rules is a difficult subject to put in to words succinctly and I feel the page has become very long and wordy.
I agree with that approach and I think you have a good start there, but the page is indeed way too long.
I think this because you are giving (almost too many) examples. You mention Heartbleed which is very specific and entirely irrelevant. We can assume that people know what a vulnerability is. If not, people should not be managing their own IPS.
Then, you are adding those boxes. The new wiki won’t support those any more. They stop the flow in reading and we have a pages where apparently everything seems to be a super important information. That makes nothing highlighted at all.
Then you copy a lot of content. For example what should be enabled in the ET ruleset. I had that at the bottom of the page. Not very much in-depth, but if you want to have more detail, I think it is best to make an extra page where we explain the individual rulesets. Maybe there are some resources out there on the internet that we can link?
Also, please don’t use lists to separate paragraphs.
I'm aware that some people reading the English documentation won't have English as their first language, so I'd appreciate any feedback you have.
The English is absolutely fine. I do not think that it is very advanced nor very simple language.
Contrary to that, I feel that the page would be easier to understand if we had more good examples for readers.
I would prefer to try to shorten the page again and move examples onto a separate page.
I think it makes sense to give some advice based on where the IPS is deploy: Basically a list of DOs and DONTs for people who have IPFire in a data centre, those who have them at home and so on. A headline for each? How does that sound? That would save you a lot of space to not explain the scenario again.
I've briefly communicated with TimF and he mentioned the flowbits bug/limitations at the moment (bugs like 12086 and 12078). If these bugs cannot be fixed soon or easily could someone with a better understanding come up with a set of work-around steps we could write in a notice somewhere in the IPS documentation?
Those will be fixed in Core Update 133. That will be available for testing this week. I hope we have this out faster then we can update the documentation :)
Then, there is a section where you say: If CPU usage is very high for a long period of time you should try to identify rules which are less likely to be important on your network and disable those rules. Sustained high CPU usage will impact the performance of IPFire and slow down internet access.
The answer to that is to buy better hardware. Do not compromise on security. Loads of people have too small hardware because they wanted something cheap and will not be able to pass enough traffic through.
So, all in all I think you have many very good thoughts in there. But I agree that the page is way too long. It needs to be split (see my suggestion above) and I think the content that is there can be made a little bit shorter. We can assume enough knowledge of the reader to get basic concepts. The example that you won’t need BSD rules when you don’t have BSD systems on your network can be half a sentence. People should be able to get a hint.
Otherwise we might run into people not reading this at all and therefore missing basic principles when configuring this. Who reads a page of text these days?
-Michael
Thank you,
dnl
Documentation mailing list Documentation@lists.ipfire.org https://lists.ipfire.org/mailman/listinfo/documentation