Well being the maintainer for fwbuilder and working closely with Vadim
Kurland the upstream author I can say he is very responsive to suggestions for
modifications. The idea of fwbuilder is to keep the GUI abstract and be able to
compile the rules based on any firewall format depending on the policy compiler
being used. As it was also mention'd it is not suggested the GUI be ran from the
firewall itself but rather have the script generated be moved via a secure means
to the firewall from the machine running the GUI...
I know first-hand that Vadim Kurland has made multiple improvements to
the iptables (fwbuilder-ipt) policy compiler on suggestions made back. I tend to
be a unique testbed because of my own network topography. I can also say my
firewall has been running using fwbuilder since I switched from ipchains back
around mid-2001 when I started maintaining fwbuilder. Since this time the
iptables script generated has made vast improvements and I'm finding it harder
to find cases it does not handle...
I also do automated CVS builds and report problems back to Vadim Kurland
and this has help'd find a lot of problems prior to his releases. I just don't
advertise these much as the XSLT transitions can change between CVS builds and I
tend to give the URL out to those that are aware of that and accept it and take
the necessary steps they need to maintain their XML files. I also build all
final releases against the current stable (Woody currently) as well as my
unstable uploads for those wanting the current version but don't want to upgrade
to unstable to get it...
Regards,
Jeremy
On Sun, May 04, 2003 at 07:16:42AM +0200, Bernd Eckenfels wrote:
> On Sun, May 04, 2003 at 01:41:49PM +1000, Jonathan Oxer wrote:
> > manage a number of firewalls on our network using fwbuilder, and a
> > little while ago I printed out the iptables script generated for one of
> > them, and the script was 32 pages long. When you've got a network that's
> > less trivial than a couple of boxes on a DSL connection, a good GUI can
> > help you keep track of what's going where.
>
> On the other hand, it is extremely damgerous to rely on those setups. I also
> know those boxes. A while back I used to use "fwctl" (maintained by me but
> ipchains) for the task. The list of rules are similiar long. But fwctl has
> some problems with special types of rules, ordering als "classes" of
> objects. If you are not very carefull, the rules might not look like you
> expect. and if you have 32 pages, you can never audit or understand them.
>
> I am currently checing fwbuilder for those kinds of problems, will report
> back. But anyway by all means: KISS.
>
> Greetinngs
> Bernd
> --
> (OO) -- Bernd_Eckenfels@Wendelinusstrasse39.76646Bruchsal.de --
> ( .. ) ecki@{inka.de,linux.de,debian.org} http://home.pages.de/~eckes/
> o--o *plush* 2048/93600EFD eckes@irc +497257930613 BE5-RIPE
> (O____O) When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl!
>
>
> --
> To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
Attachment:
pgpnzSzNEFEGU.pgp
Description: PGP signature