[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Firewall - Very limited Access - suggestions



On Wed, 2004-06-02 at 08:30, Rodolfo J. Paiz wrote:
> At 09:51 5/30/2004, Jack Bowling wrote:
> >Hi, Kevin. GUI front ends to netfilter/iptables such as Firestarter,
> >GuardDog, Shorewall, etc. should all be considered as learning tools. They
> >will allow you to have a decent firewall in place while you roll up your
> >sleeves and do your homework on how iptables works. There is *no*
> >substitute for writing your own iptables rules.
> 
> I disagree. Shorewall is not a GUI to use as a learning tool... for 
> starters, it is not a GUI at all. Shorewall is a *very* powerful 
> configuration tool which covers damn near everything you can do with 
> iptables, and its text files are orders of magnitude easier to learn, 
> well-documented, clear, and actively supported by the author.
> 
> I wrote ipchains rules by hand for years. Then I wrote iptables rules by 
> hand for months. Then I found Shorewall, and I've never looked back... over 
> 100 systems now and counting. It's allowed me to do things for which I had 
> not yet mastered the iptables syntax, and also things I didn't know 
> iptables could do. :-)
> 
> As a further note: I have come to believe that user error makes it too easy 
> to make mistakes on a hand-written script, *regardless* of the skill level 
> of the administrator. In any human endeavor seeking precision, 
> repeatability, and reduction of errors, tools are used to automate tasks 
> like this. I much prefer Shorewall to hand-editing iptables rules; not only 
> is it easier, I believe the end result (because it eliminates many possible 
> errors I might make) is more secure.


I have to agree with Rodolfo (who incidently suggested I try out
shorewall.) Having read up on iptables/ipchains, I still find writing
iptables rules by hand to be thought-consuming, and shorewall is easy to
the rescue.

Maybe every admin worth his salt needs to know how to write good iptable
rules, but why re-invent the wheel?

Since it's also text based, you can SSH in to the box and edit it
easily.





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]