Re: Firewall Easy-Configuration

To: <debian-firewall@lists.debian.org>
Subject: Re: Firewall Easy-Configuration
From: "Benedict Verheyen" <linux4bene@pandora.be>
Date: Mon, 12 Jan 2004 08:31:19 +0100
Message-id: <[🔎] 01d101c3d8de$126da220$0a00a8c0@camelot>
Reply-to: "Benedict Verheyen" <linux4bene@pandora.be>
References: <[🔎] 1073668019.1456.9.camel@kiste-pierre><[🔎] 87d69p99bm.fsf@enki.rimspace.net><[🔎] 066001c3d8ba$0db07290$0a02a8c0@zaphod> <[🔎] 874qv195ji.fsf@enki.rimspace.net>

----- Original Message -----
From: "Daniel Pittman" <daniel@rimspace.net>
> > Have you tried Shorewall at http://www.shorewall.net ?
>
> No. I have reviewed it several times, and it has not met my needs in
> each of these cases.  I welcome pointers or correction, though.
>
> Specifically, when I reviewed it against the security requirements for
> my current infrastructure at my place of work, the issues were (from
> memory, and about six months ago, so some may have changed):
>
> 1. Inflexible "zone" policy in the package.
>
> We needed five distinct "zones", which may be connected to the machine
> in a number of ways or configurations, each with a distinct policy.
>
> It did not appear to be possible to make shorewall achieve this
result.
>
>
> 2. Non-router configuration.
>
> It did not appear to be easy to make shorewall function on a leaf
> server, rather than a router, to provide security.
>
>
> 3. Outbound traffic policing
>
> It did not appear to be easy to make shorewall impose strong rules on
> outbound connections from a machine, especially WRT their destination
> zone.
>
>
> 4. Configuration file constructing
>
> It did not appear to be easy to build a configuration file from
> "fragments" based on the role of the server, using automated tools.
>
>
> 5. Complexity of the code
>
> It was a non-trivial task to audit the security related parts of the
> shorewall script.
>
>
> 6. Clarity of generated output
>
> It was not entirely clear what tests would be used to meet the rule
> specifications in the configuration file.
>
>
> Firehol met all these issues nicely out of the box, by providing:
>
> 1. unlimited "zone" definitions, based on any iptables match
>
> 2. router and leaf configuration supported out of the box
>
> 3. outbound rule definitions are implicit, and (trivially) required,
>    with 'permit all outbound' a clear and obvious statement rather
>    than a default value
>
> 4. configuration files are bash scripts, allowing unlimited complexity
>    (if desired) but without requiring any programming complexity.
>
>    The configuration file also has a simpler structure than shorewall.
>
> 5. Individual rule definitions can be complex with firehol, but the
>    core of the code is much smaller than most ruleset generators.
>
> 6. Firehol rules generation makes it very clear what tests, etc, will
be
>    used for a given rule.
>
>
> Note: I don't think that shorewall is bad, just that it was not
> appropriate for my applications.  If I have misunderstood any part of
> it's operation, please correct me.
>
>         Daniel

I'm not sure: the end result of both is that they produce iptables
rules.
So basically you should be able to do with Shorewall what you can do
with firehol. Maybe not as easy, i don't know, but it should be
possible.

Regards,
Benedict

Reply to:

References:
- Firewall Easy-Configuration
  - From: Pierre Gillmann <pierro87@gmx.de>
- Re: Firewall Easy-Configuration
  - From: Daniel Pittman <daniel@rimspace.net>
- Re: Firewall Easy-Configuration
  - From: "john" <john@hedge.com.au>
- Re: Firewall Easy-Configuration
  - From: Daniel Pittman <daniel@rimspace.net>

Prev by Date: Re: Firewall Easy-Configuration
Next by Date: Re[2]: Firewall Easy-Configuration
Previous by thread: Re: Firewall Easy-Configuration
Next by thread: Re[2]: Firewall Easy-Configuration
Index(es):
- Date
- Thread