Well being the maintainer for fwbuilder and working closely with Vadim Kurland the upstream author I can say he is very responsive to suggestions for modifications. The idea of fwbuilder is to keep the GUI abstract and be able to compile the rules based on any firewall format depending on the policy compiler being used. As it was also mention'd it is not suggested the GUI be ran from the firewall itself but rather have the script generated be moved via a secure means to the firewall from the machine running the GUI... I know first-hand that Vadim Kurland has made multiple improvements to the iptables (fwbuilder-ipt) policy compiler on suggestions made back. I tend to be a unique testbed because of my own network topography. I can also say my firewall has been running using fwbuilder since I switched from ipchains back around mid-2001 when I started maintaining fwbuilder. Since this time the iptables script generated has made vast improvements and I'm finding it harder to find cases it does not handle... I also do automated CVS builds and report problems back to Vadim Kurland and this has help'd find a lot of problems prior to his releases. I just don't advertise these much as the XSLT transitions can change between CVS builds and I tend to give the URL out to those that are aware of that and accept it and take the necessary steps they need to maintain their XML files. I also build all final releases against the current stable (Woody currently) as well as my unstable uploads for those wanting the current version but don't want to upgrade to unstable to get it... Regards, Jeremy On Sun, May 04, 2003 at 07:16:42AM +0200, Bernd Eckenfels wrote: > On Sun, May 04, 2003 at 01:41:49PM +1000, Jonathan Oxer wrote: > > manage a number of firewalls on our network using fwbuilder, and a > > little while ago I printed out the iptables script generated for one of > > them, and the script was 32 pages long. When you've got a network that's > > less trivial than a couple of boxes on a DSL connection, a good GUI can > > help you keep track of what's going where. > > On the other hand, it is extremely damgerous to rely on those setups. I also > know those boxes. A while back I used to use "fwctl" (maintained by me but > ipchains) for the task. The list of rules are similiar long. But fwctl has > some problems with special types of rules, ordering als "classes" of > objects. If you are not very carefull, the rules might not look like you > expect. and if you have 32 pages, you can never audit or understand them. > > I am currently checing fwbuilder for those kinds of problems, will report > back. But anyway by all means: KISS. > > Greetinngs > Bernd > -- > (OO) -- Bernd_Eckenfels@Wendelinusstrasse39.76646Bruchsal.de -- > ( .. ) ecki@{inka.de,linux.de,debian.org} http://home.pages.de/~eckes/ > o--o *plush* 2048/93600EFD eckes@irc +497257930613 BE5-RIPE > (O____O) When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl! > > > -- > To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org >
Attachment:
pgpnzSzNEFEGU.pgp
Description: PGP signature