Re: Firewall and Laptop
On 1 Jan 2005, Bill Moseley wrote:
> Which of the firewall packages is closest to building iptables rules
> by hand?
>From my experience, firehol is the tool that gets in the way the least.
You can write raw iptables calls with it, in fact, if you really want to
abuse it. Then you only get the 'test and roll back' mode, and a few
other nice features.
> I, for one, prefer to have just one file that contains the iptables
> commands to build the firewall. The front-end tools are nice but I
> feel like they make me learn about how to run their tool instead of
> how to work with iptables -- an obscuring layer, in effect. It's also
> easier to understand (for me) when it's a simple hand-edited script
> that gets run out of init.d and /etc/networking/interfaces.
> For example, I use gshield on one machine, which is reasonably basic,
> but I have not figured out why when I traceroute out that machine
> blocks. gshield has a config file, but I'd rather be trying to edit
> the basic iptables commands.
firehol does a really good job of getting the annoying and repetitive
parts of the firewall script out of the way, but still lets you get at
the meat of it.
Anyway, if you actually want to understand what it does, install it and
use the 'explain' mode, which takes an input rule and tells you
*exactly* what iptables commands will be run by it.
There is also 'debug' mode which emits an almost stand-alone shell
script that shows all the iptables rules at a time...
> I think my firewall needs are reasonably common, too. I need NAT and
> to allow a few services in and a DMZ. A well commented iptables
> script would be fine. I can cut-n-paste some iptables rules to open a
> new port. But, I do need a tool that will set all those default rules
> for spoofing in invalid ip blocks that are not specific to how my
> machine is configured.
firehol should be able to express that configuration in about five lines
of code, if you want, while still letting you add anything you need
later on, no matter how complex.
Copyright law is totally out of date. It is a Gutenburg artifact.
Since it is a reactive process, it will probably have to break
down completely before it is corrected.
-- Nicholas Negroponte, _Being Digital_, 1995