Firewalls will always be a key ingredient to network security, but not all firewalls are equal. Recently I’ve been forced into documenting how I decide & think about firewall rules…

Strict Firewalling
IMO Strict Firewalling is the traditional way to implement your traffic policies (ACLS), each rule should be as tight as possible… the idea of “any” should not be used at all and ranges should be kept at a minimum; hosts better than subnets, source and destination IPs restricted, specific TCP ports (not ranges) used.

Service Led Firewalling
A term I think I made up, Service Led Fierwalling is where you relax the ACL/policy at the source… to host a DNS Zone you need to allow “anyone” to perform lookups so Strict Firewalling cannot be applied here but you do know the destination and the service so both of these should be defined/restricted as appropriate… you see what I mean here the policy is defined by the “service” provided.

Open Firewalling
Possibly a contradiction in terms but bare with me; there are some instances whereby implementing a firewall provides little benefit, one example I’ve seen was a customer’s security officer wanted an internal firewall (i.e. no internet connection) in front of their Microsoft file server, in order for AD & MS clients to work properly all the MS ports had to be opened… so server guys continuously complained, what exactly is the firewall doing? What is Open Firewalling? It’s the process of implementing a black list followed by a white list, rather than the traditional permit then drop processing that a firewall does; I’d create a rule that Drops Prohibited applications (such as P2P or unencrypted protocols) and then create a policy permitting all ports from legitimate IP ranges.

When would I use these?
Your firewall should be broken into zones, each zone meets both security policy and business requirements, you should then apply a firewalling technique to each zone. For example it’s not uncommon to have a back-end database which should only ever be accessed by the front end application, therefore it could be in a zone protected by Strict Firewalling; public services such as websites/email servers require flexibility on their source thus require service led firewalling. Occasionally your business or application requirements suggest that firewalling impedes things, using open firewalling to “clean” traffic compromises “security people wanting firewalls” and any historical business/application issues… the firewall is there perhaps protecting against syn-flood attacks & as previously suggested blocking prohibited apps yet the business doesn’t see any traditional firewall headaches.

I don’t agree you fool!
That’s your choice, there’s no correct answer to security, the business you work in and the security policy mandated from senior management direct what you do, these are just my approaches

This post is an extension to this excellent article except with a subtle difference, I’m not interested in hacking the WP core, I’m writing a plug-in

I’m going to assume that you’ve requested access to WordPress.org’s SVN repository, and you’ve found the admin panel and want to get your Xcode goodness hooked up to the WP SVN.

To get started create a new Empty Xcode project.

Xcode project chooser	Empty Project

From the menu bar select SCM then Configure Repositories, the window select the + to add a new repo, the username & password pair are your wordpress.org credentials, you can find the URL to your SVN repo on the wordpress.org site.

The WP.org admin interface

Next from the menu bar select SCM then Repositories, highlight the repo you’ve just created and choose checkout; you’re going to be asked for a folder to “save” the contents of the repo to, I chose inside my Xcode project folder.

Repo’ Config	Code Checkout

You now need to add those “checked out” files to you project, in the tree on the left, right/control click the blue project icon at the top and select add existing files, accept the defaults and the repo should be imported.

Imported Code

These files now in the project need to be associated with the repo, this is done by highlighting the blue project icon and clicking the “Info” button, then click “Configure Roots & SCM”; click the + button and choose your repo folder (again)… the dropdown on the right should automatically select the correct SCM.

Project Properties	Project Roots

If you now change a file / add / delete / etc it will appear under the SCM tree, you can right/control click and commit to the repo…. job done

Yay it works!

Very quickly you’re going to find out that you want to test your changes prior to commiting them, to do this you may want to copy your files upto a webserver…. I get Xcode to do that for me, using macfuse to mount my webroot via ssh but for this example I’ll create a directory on the desktop … you also need to create any subdirectories you may need.. I have to create “admin”.

To copy the files we’re use an Xcode target, from the menu bar choose Project then New Target then Copy Files Target, I called my new target CopyFile. Using the info button change the absolute path of the copy – e.g. /Users/Nick/Desktop/LL … now here I ran into a problem (suggestions welcome)… next I created extra copy build phases for each subdirectory. Control/right click your Target ( i.e CopyFiles) then choose Add, New Build Phase, New Copy Files Build Phase… I then set the absolute path of this “sub target” to /Users/nick/Desktop/LL/admin/ to represent my admin subdirectory.

Finally DRAG down the files into their correct target, all being well and a fair wind clicking “BUILD” will cause your files to be copied into your directory. You can now make changes, click build to test, and then commit them to subversion when you’re happy

Finished!

The red sweater post that inspires this now talks about creating a RUN shortcut to automatically open a web browser for testing, however mine didn’t work… I got this error “The program being debugged is not being run“… suggestions to fix welcome!