Hi Daniel,
I use shorewall on my home server. My answers in line.
Monday, January 12, 2004, 1:04:01 AM, Daniel Pittman wrote:
<snip>
DP> 1. Inflexible "zone" policy in the package.
DP> We needed five distinct "zones", which may be connected to the machine
DP> in a number of ways or configurations, each with a distinct policy.
DP> It did not appear to be possible to make shorewall achieve this result.
/etc/shorewall/zones -> define zones
/etc/shorewall/interfaces -> define interfaces for zones
DP> 2. Non-router configuration.
DP> It did not appear to be easy to make shorewall function on a leaf
DP> server, rather than a router, to provide security.
No quite sure what your requirements are here. As far as I can see
routing is controlled by route (or iproute), and securtiy by iptables.
DP> 3. Outbound traffic policing
DP> It did not appear to be easy to make shorewall impose strong rules on
DP> outbound connections from a machine, especially WRT their destination
DP> zone.
Again, not quite sure what this is about. I deny/permit access to the
internet by service/destination and have never had any problems.
DP> 4. Configuration file constructing
DP> It did not appear to be easy to build a configuration file from
DP> "fragments" based on the role of the server, using automated tools.
I always edit the configuration files directly.
DP> 5. Complexity of the code
DP> It was a non-trivial task to audit the security related parts of the
DP> shorewall script.
No comment.
DP> 6. Clarity of generated output
DP> It was not entirely clear what tests would be used to meet the rule
DP> specifications in the configuration file.
I agree.
<snip>
I have never used firehol so I cannot comment. HTH.
--
__ _ Debian GNU User Simon Martin
/ /(_)_ __ _ ___ __ Project Manager
/ / | | '_ \| | | \ \/ / Milliways
/ /__| | | | | |_| |> < mailto: smartin@milliways.cl
\____/_|_| |_|\__,_/_/\_\ ICQ: 81183862