Re: Firewall script builders
On Thu, 4 Sep 2003, simon martin wrote:
> Daniel Pittman mentioned the use of higher level tools to build a
> firewall, not just a shell script with iptables commands. Has anybody
> evaluated the output of different firewall tools.
I can put up my hand here as having evaluated a fair proportion of what
is out there. :)
> I started off using script files with ipchains, and when I went onto a
> 2.4 kernel I first tried fwbuilder and then shorewall (which I still
> use). There must be many more tools out there (Daniel mentioned
> firehol), but these are the 2 that I have used.
> Has anyone compared the output from these types of tool? Is there any
> conclusion as to which is better? What defines better?
Your last question is the most interesting: "better" in this case is the
tool that gives you the level of security you want in return for the
effort you can afford.
I recommend Firehol because it is a more polished version of what I was
writing with my hand-rolled scripts, and because it generates very good
output -- as good as hand written iptables scripts, if not better.
Shorewall and other "script and config file" setups seem pretty good, as
a rule, but lack some of the flexibility in describing *your* network
model, I found.
None of the GUI tools was ever much use to me, because I don't *want* to
click and drag icons around to build my firewall...
Time spent in the advertising business seems to create a
permanent deformity like the Chinese habit of foot-bonding.
-- Dean Acheson