Re: Firewall script builders

[Christoph Haas <email@christoph-haas.de>]

On Thu, Sep 04, 2003 at 09:01:17AM -0400, simon martin wrote:
> Daniel Pittman mentioned the use of higher level tools to build a
> firewall, not just a shell script with iptables commands. Has anybody
> evaluated the output of different firewall tools.

I haven't compared the output of /different/ tools. I do however use
fwbuilder a lot. We are even thinking about migrating commercial (a huge
waste of money) firewalls to fwbuilder based netfilter firewalls.

> I started off using script files with ipchains, and when I went onto a
> 2.4 kernel I first tried fwbuilder and then shorewall (which I still
> use). There must be many more tools out there (Daniel mentioned
> firehol), but these are the 2 that I have used.

Shorewall? <cough> It is not suited for setups that cover more than a
DSL router and a Windows PC behind it IMHO.

> Has anyone compared the output from these types of tool? Is there any
> conclusion as to which is better? What defines better?

The output from fwbuilder is very well done. The bugs that have been
squished since 1.0 are none that ever made the tool unuseable. Looking
at the output scripts we haven't found anything not belonging there.

Be warned however that fwbuilder will crash often - even in the current
version. Working more than 5 minutes without a core dump seems
impossible. It is worth being supported though. As it is completely
driven by XML config files and a external rule compiler it is a matter
of a simple shell script to do well the same as (say) Checkpoint
Provider-1.

Many people think they can write more effective iptables scripts
themselves. However when you have more than 50 rules I bet these folks
lose control of what their scripts do. Anyway, managing a rule set using
drag and drop hasn't made me a "script kiddy". :)

Regards
 Christoph

-- 
~
~
".signature" [Modified] 3 lines --100%--                3,41         All