Hi Daniel, I use shorewall on my home server. My answers in line. Monday, January 12, 2004, 1:04:01 AM, Daniel Pittman wrote: <snip> DP> 1. Inflexible "zone" policy in the package. DP> We needed five distinct "zones", which may be connected to the machine DP> in a number of ways or configurations, each with a distinct policy. DP> It did not appear to be possible to make shorewall achieve this result. /etc/shorewall/zones -> define zones /etc/shorewall/interfaces -> define interfaces for zones DP> 2. Non-router configuration. DP> It did not appear to be easy to make shorewall function on a leaf DP> server, rather than a router, to provide security. No quite sure what your requirements are here. As far as I can see routing is controlled by route (or iproute), and securtiy by iptables. DP> 3. Outbound traffic policing DP> It did not appear to be easy to make shorewall impose strong rules on DP> outbound connections from a machine, especially WRT their destination DP> zone. Again, not quite sure what this is about. I deny/permit access to the internet by service/destination and have never had any problems. DP> 4. Configuration file constructing DP> It did not appear to be easy to build a configuration file from DP> "fragments" based on the role of the server, using automated tools. I always edit the configuration files directly. DP> 5. Complexity of the code DP> It was a non-trivial task to audit the security related parts of the DP> shorewall script. No comment. DP> 6. Clarity of generated output DP> It was not entirely clear what tests would be used to meet the rule DP> specifications in the configuration file. I agree. <snip> I have never used firehol so I cannot comment. HTH. -- __ _ Debian GNU User Simon Martin / /(_)_ __ _ ___ __ Project Manager / / | | '_ \| | | \ \/ / Milliways / /__| | | | | |_| |> < mailto: smartin@milliways.cl \____/_|_| |_|\__,_/_/\_\ ICQ: 81183862
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature