Re: Firewall Easy-Configuration
On Mon, 12 Jan 2004, firstname.lastname@example.org wrote:
> ----- Original Message -----
> From: "Daniel Pittman" <email@example.com>
> To: "Pierre Gillmann" <firstname.lastname@example.org>
> Cc: <email@example.com>
> Sent: Monday, January 12, 2004 1:42 PM
> Subject: Re: Firewall Easy-Configuration
>> On Fri, 09 Jan 2004, Pierre Gillmann wrote:
>> > I would build a little firewall for my single PC. Sounds very easy,
>> > but the configurators, which i found, wasn't so extremly good. And
>> > to write my own one, is very problematic, because of the many
>> > functions.
>> *nod* I didn't find anything I liked to build firewall scripts with
>> for a long time. You may like the package that I now use, 'firehol'.
>> It is packaged for Debian unstable, or at <http://firehol.sf.net/>.
>> This package makes it easy to build a firewall as simple or as
>> complex as you like, and is as flexible as building your own script
>> from scratch if you wish.
> Have you tried Shorewall at http://www.shorewall.net ?
No. I have reviewed it several times, and it has not met my needs in
each of these cases. I welcome pointers or correction, though.
Specifically, when I reviewed it against the security requirements for
my current infrastructure at my place of work, the issues were (from
memory, and about six months ago, so some may have changed):
1. Inflexible "zone" policy in the package.
We needed five distinct "zones", which may be connected to the machine
in a number of ways or configurations, each with a distinct policy.
It did not appear to be possible to make shorewall achieve this result.
2. Non-router configuration.
It did not appear to be easy to make shorewall function on a leaf
server, rather than a router, to provide security.
3. Outbound traffic policing
It did not appear to be easy to make shorewall impose strong rules on
outbound connections from a machine, especially WRT their destination
4. Configuration file constructing
It did not appear to be easy to build a configuration file from
"fragments" based on the role of the server, using automated tools.
5. Complexity of the code
It was a non-trivial task to audit the security related parts of the
6. Clarity of generated output
It was not entirely clear what tests would be used to meet the rule
specifications in the configuration file.
Firehol met all these issues nicely out of the box, by providing:
1. unlimited "zone" definitions, based on any iptables match
2. router and leaf configuration supported out of the box
3. outbound rule definitions are implicit, and (trivially) required,
with 'permit all outbound' a clear and obvious statement rather
than a default value
4. configuration files are bash scripts, allowing unlimited complexity
(if desired) but without requiring any programming complexity.
The configuration file also has a simpler structure than shorewall.
5. Individual rule definitions can be complex with firehol, but the
core of the code is much smaller than most ruleset generators.
6. Firehol rules generation makes it very clear what tests, etc, will be
used for a given rule.
Note: I don't think that shorewall is bad, just that it was not
appropriate for my applications. If I have misunderstood any part of
it's operation, please correct me.
Irrigation of the land with seawater desalinated by fusion power is ancient.