Daniel Pittman wrote: > ... > Shorewall, like many firewall packages, gives you[1] a whole bunch of > configuration options, which turn on or off features in the pre-packaged > firewall you have. > > This tends to make it hard to do strange things like playing with DSCP > tagging of packets, or deciding to use the 'uid' option to an iptables > rule, or whatever. The recent ipt_recent protection against SSH, etc, > brute force attacks is a good example of this sort of stuff. > > It also tends to encourage "shortcuts" in the firewall, like accepting > any RELATED/ESTABLISHED packets, Am i right in understanding that you consider accepting RELATED/ESTABLISHED packets a bad thing? > ... > Shorewall was *NOT* one of the tools that I evaluated to the level of a > generated firewall -- it didn't let me do some of the stuff I was doing > already, so I didn't try it. What were the main things you wanted that shorewall didn't do? > ... > Firehol suits me, personally, because it makes it easy to write a really > good and secure firewall, because it takes the hard work out of > iptables, but it still doesn't get in the way of doing, well, anything I > want. You can integrate arbitrary iptables commands into shorewall also. > ... >>I have heared some opinions like "shorewall is bad" so I'm really >>thinking of switching to something else. But I dont't know why... >>noone was able to give me a good reason. > ... > Also, in general I don't recommend changing *anything* just because > someone else tells you they don't like it -- and if they can't tell you > *why*, it is just that they "don't like it." Couldn't agree more. -- Paul <http://paulgear.webhop.net> -- Did you know? Many viruses specifically target Microsoft Outlook and Outlook Express. You can help to keep your computer free of viruses by using one of the more secure alternatives from <http://mozilla.org>.
Attachment:
signature.asc
Description: OpenPGP digital signature