Firewall - Very limited Access - suggestions
Ow Mun Heng
Ow.Mun.Heng at wdc.com
Wed Jun 2 18:19:24 UTC 2004
On Wed, 2004-06-02 at 08:30, Rodolfo J. Paiz wrote:
> At 09:51 5/30/2004, Jack Bowling wrote:
> >Hi, Kevin. GUI front ends to netfilter/iptables such as Firestarter,
> >GuardDog, Shorewall, etc. should all be considered as learning tools. They
> >will allow you to have a decent firewall in place while you roll up your
> >sleeves and do your homework on how iptables works. There is *no*
> >substitute for writing your own iptables rules.
>
> I disagree. Shorewall is not a GUI to use as a learning tool... for
> starters, it is not a GUI at all. Shorewall is a *very* powerful
> configuration tool which covers damn near everything you can do with
> iptables, and its text files are orders of magnitude easier to learn,
> well-documented, clear, and actively supported by the author.
>
> I wrote ipchains rules by hand for years. Then I wrote iptables rules by
> hand for months. Then I found Shorewall, and I've never looked back... over
> 100 systems now and counting. It's allowed me to do things for which I had
> not yet mastered the iptables syntax, and also things I didn't know
> iptables could do. :-)
>
> As a further note: I have come to believe that user error makes it too easy
> to make mistakes on a hand-written script, *regardless* of the skill level
> of the administrator. In any human endeavor seeking precision,
> repeatability, and reduction of errors, tools are used to automate tasks
> like this. I much prefer Shorewall to hand-editing iptables rules; not only
> is it easier, I believe the end result (because it eliminates many possible
> errors I might make) is more secure.
I have to agree with Rodolfo (who incidently suggested I try out
shorewall.) Having read up on iptables/ipchains, I still find writing
iptables rules by hand to be thought-consuming, and shorewall is easy to
the rescue.
Maybe every admin worth his salt needs to know how to write good iptable
rules, but why re-invent the wheel?
Since it's also text based, you can SSH in to the box and edit it
easily.
More information about the fedora-list
mailing list