[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Firewall script builders

On Thu, Sep 04, 2003 at 07:29:10PM +0200, Christoph Haas wrote:
> I haven't compared the output of /different/ tools. I do however use
> fwbuilder a lot. We are even thinking about migrating commercial (a huge
> waste of money) firewalls to fwbuilder based netfilter firewalls.
	As the fwbuilder maintainer this makes me happy to know it's
atleast being used... 

> > Has anyone compared the output from these types of tool? Is there any
> > conclusion as to which is better? What defines better?
> The output from fwbuilder is very well done. The bugs that have been
> squished since 1.0 are none that ever made the tool unuseable. Looking
> at the output scripts we haven't found anything not belonging there.
	Yes Vadim Kurland has made considerable changes since the 1.0
release... I've also had input into the iptables policy compiler as

> Be warned however that fwbuilder will crash often - even in the current
> version. Working more than 5 minutes without a core dump seems
> impossible. It is worth being supported though. As it is completely
> driven by XML config files and a external rule compiler it is a matter
> of a simple shell script to do well the same as (say) Checkpoint
> Provider-1.
	I'm curious about this as Vadim just released 1.0.11 last nite
and I am working to get the packaging done quickly... If you could
provide more information regarding this I would appreciate it and try to
look into it with Vadim... I haven't seen this problem myself personally
and I'll usually have fwbuilder up for quite some time tweaking,
recompiling the rules, testing script on firewall and repeating until
everything is as I want it...
> Many people think they can write more effective iptables scripts
> themselves. However when you have more than 50 rules I bet these folks
> lose control of what their scripts do. Anyway, managing a rule set using
> drag and drop hasn't made me a "script kiddy". :)
> Regards
>  Christoph
	Only 50 rules? I think I have atleast 100 rules and that's just
on the one interface... That's where fwbuilder has help'd me
considerably in managing and prioritizing the rules themselves...


Attachment: pgpdpFVea9j2c.pgp
Description: PGP signature

Reply to: