[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Firewall script builders

On Thu, Sep 04, 2003 at 08:56:55PM +0200, Christoph Haas wrote:
> On Thu, Sep 04, 2003 at 10:56:26AM -0700, Jeremy T. Bouse wrote:
> > As the fwbuilder maintainer this makes me happy to know it's
> > atleast being used... 
> Everybody who asks me how to build a Linux-based firewall always got
> fwbuilder recommended first. Some have looked at the output and thus
> learned how the netfilter works but most of them still mainly use the
> fwbuilder to maintain the iptables scripts.
	Yeah I tend to recommend it as well for obvious reasons... Just
makes me feel better that others think it's good enough to recommend...
Was actually the package I did while trying to become a Debian
Developer... Nothing like picking a multi-binary package to start off on
> > I'm curious about this as Vadim just released 1.0.11 last nite
> > and I am working to get the packaging done quickly...
> I'm still using a pinned version 1.0.5 on my Woody server. I had enough
> problems running aptitude and fwbuilder on the same system due to
> library problems (hmm, which one was that?). However on my development
> system I have a most up-to-date unstable system and could well try out
> the 1.0.11 version. At work we have a test system running 1.0.9 which is
> even more unstable/buggy then the 1.0.5 in means of crashing. It might
> be some localisation problem though - some applications on Gnome used to
> have problems in a non-english (LANG=de) environment.
	I actually have an apt-get'able repository on people.debian.org
that I upload new versions of fwbuilder build in a woody/stable chroot
so people can run the latest version on stable without upgrading to
unstable... It may be with the localization code as that is fairly new
IIRC... I don't set any locale so that could be why I wouldn't see the
problem... 'Course I know the system well enough I guess I could set it
for testing and see if I can get it to crash...
> > If you could provide more information regarding this I would
> > appreciate it and try to look into it with Vadim... I haven't seen
> > this problem myself personally and I'll usually have fwbuilder up for
> > quite some time tweaking, recompiling the rules, testing script on
> > firewall and repeating until everything is as I want it...
> Thanks a lot for your offer. I'm quite personally interested in fwbuilder 
> and would like to help improving the package. If it wouldn't yet be a
> .deb package I had surely made one. :)
	That's pretty much why I created the package... And I figured
if I could make use of it I was certain someone else could so I went
through the trouble to become a developer so I could maintain it...
Vadim is actually a great guy... We've met up for coffee and discussed
things that could be improved... He's pretty responsive to suggestions
as well...
> > Only 50 rules? I think I have atleast 100 rules and that's just
> > on the one interface... That's where fwbuilder has help'd me
> > considerably in managing and prioritizing the rules themselves...
> Bear with me - I'm used to Checkpoint. They have no written limit in
> the number of rules but our most complex firewall features 400 rules
> which makes the Checkpoint GUI more unstable than one-legged chair.
	Easist for me to say my "best friends" refer to me as "anal
retentive" when it comes to my network firewall security... I've
actually had a standing bet out amoung my friends that I haven't had to
pay up on in over 7 years now... 
> A short note on what is really a lack in the fwbuilder (perhaps fixed
> since 1.0.9): it's a pain in the lower back that you cannot select a
> column (destination for example), right-click and say "Add". The
> drag'n'drop approach is nice but in a larger number of objects,
> firewalls, interfaces and rules you can scroll I'll bet one day I will
> accidentally unscrew my mouse-wheel. The Checkpoint GUI (which fwbuilder
> is obviously derived from) makes this task more easy even allowing
> searching for objects in this "Add" dialog by just typing its name. Just
> a suggestion.
	Have you gone to the Fwbuilder SourceForge project and submit'd
this as a feature request? This sounds like something that he might
actually work to get in there fairly quickly if it didn't take much...
I'm sure prolly all the hooks necessary are in the code... I do believe
he did model it after Checkpoint as I believe he's worked with it
before... You are also ware that he does have a commerical Cisco PIX
policy compiler that works with the open-source GUI... I haven't
discussed with him regarding having it available in a .deb but he does
have it in a .rpm which he maintains... 

> If we even had a working fwbd which allowed to distribute the firewall
> scripts automatically that would be a blast.
	I'm not sure when he plans to have a working fwbd available...
I know I help'd with patches to correct the X.509 certificate
generation wizard in fwbuilder back in the early 1.0 releases... I also
help'd with the move from xml1 to xml2 transition... I've heard his
plans for fwbd and am anxious to see it be available as well but I
believe he's been concentrating on the GUI and policy compilers up to
this point... I know 1.0.11 has a fwbuilder-installer which is written
in Perl but I haven't work'd with it yet... This may be a sticking point
for me as it means I need to get it packaged and test'd properly before


Attachment: pgpYtFO5b2jr0.pgp
Description: PGP signature

Reply to: