Re: Firewall script builders

To: debian-firewall@lists.debian.org
Cc: Christoph Haas <email@christoph-haas.de>
Subject: Re: Firewall script builders
From: "Jeremy T. Bouse" <jbouse@debian.org>
Date: Thu, 4 Sep 2003 10:56:26 -0700
Message-id: <[🔎] 20030904175626.GA26067@UnderGrid.net>
Mail-followup-to: debian-firewall@lists.debian.org, Christoph Haas <email@christoph-haas.de>
In-reply-to: <[🔎] 20030904172910.GA31776@torf.workaround.org>
References: <1062371226.1599.95.camel@coltrane> <200309011017.37884.tarragon@onthe.net.au> <[🔎] 1062638150.1002.2.camel@coltrane> <[🔎] 87ad9l8ggb.fsf@enki.rimspace.net> <[🔎] 1375731330.20030904090117@milliways.cl> <[🔎] 20030904172910.GA31776@torf.workaround.org>

On Thu, Sep 04, 2003 at 07:29:10PM +0200, Christoph Haas wrote:
> I haven't compared the output of /different/ tools. I do however use
> fwbuilder a lot. We are even thinking about migrating commercial (a huge
> waste of money) firewalls to fwbuilder based netfilter firewalls.
> 
	As the fwbuilder maintainer this makes me happy to know it's
atleast being used... 

> > Has anyone compared the output from these types of tool? Is there any
> > conclusion as to which is better? What defines better?
> 
> The output from fwbuilder is very well done. The bugs that have been
> squished since 1.0 are none that ever made the tool unuseable. Looking
> at the output scripts we haven't found anything not belonging there.
> 
	Yes Vadim Kurland has made considerable changes since the 1.0
release... I've also had input into the iptables policy compiler as
well... 

> Be warned however that fwbuilder will crash often - even in the current
> version. Working more than 5 minutes without a core dump seems
> impossible. It is worth being supported though. As it is completely
> driven by XML config files and a external rule compiler it is a matter
> of a simple shell script to do well the same as (say) Checkpoint
> Provider-1.
>
	I'm curious about this as Vadim just released 1.0.11 last nite
and I am working to get the packaging done quickly... If you could
provide more information regarding this I would appreciate it and try to
look into it with Vadim... I haven't seen this problem myself personally
and I'll usually have fwbuilder up for quite some time tweaking,
recompiling the rules, testing script on firewall and repeating until
everything is as I want it...
 
> Many people think they can write more effective iptables scripts
> themselves. However when you have more than 50 rules I bet these folks
> lose control of what their scripts do. Anyway, managing a rule set using
> drag and drop hasn't made me a "script kiddy". :)
> 
> Regards
>  Christoph
> 
	Only 50 rules? I think I have atleast 100 rules and that's just
on the one interface... That's where fwbuilder has help'd me
considerably in managing and prioritizing the rules themselves...

	Regards,
	Jeremy

Attachment: pgpdpFVea9j2c.pgp
Description: PGP signature

Reply to:

Follow-Ups:
- Re: Firewall script builders
  - From: Christoph Haas <email@christoph-haas.de>

References:
- Re: my iptables script
  - From: Jule Slootbeek <jslootbeek@clarku.edu>
- Re: my iptables script
  - From: Daniel Pittman <daniel@rimspace.net>
- Firewall script builders
  - From: simon martin <smartin@milliways.cl>
- Re: Firewall script builders
  - From: Christoph Haas <email@christoph-haas.de>

Prev by Date: Re: Firewall script builders
Next by Date: Re: Firewall script builders
Previous by thread: Re: Firewall script builders
Next by thread: Re: Firewall script builders
Index(es):
- Date
- Thread