On Thu, Sep 04, 2003 at 09:01:17AM -0400, simon martin wrote: > Daniel Pittman mentioned the use of higher level tools to build a > firewall, not just a shell script with iptables commands. Has anybody > evaluated the output of different firewall tools.
I haven't compared the output of /different/ tools. I do however use fwbuilder a lot. We are even thinking about migrating commercial (a huge waste of money) firewalls to fwbuilder based netfilter firewalls. > I started off using script files with ipchains, and when I went onto a > 2.4 kernel I first tried fwbuilder and then shorewall (which I still > use). There must be many more tools out there (Daniel mentioned > firehol), but these are the 2 that I have used. Shorewall? <cough> It is not suited for setups that cover more than a DSL router and a Windows PC behind it IMHO. > Has anyone compared the output from these types of tool? Is there any > conclusion as to which is better? What defines better? The output from fwbuilder is very well done. The bugs that have been squished since 1.0 are none that ever made the tool unuseable. Looking at the output scripts we haven't found anything not belonging there. Be warned however that fwbuilder will crash often - even in the current version. Working more than 5 minutes without a core dump seems impossible. It is worth being supported though. As it is completely driven by XML config files and a external rule compiler it is a matter of a simple shell script to do well the same as (say) Checkpoint Provider-1. Many people think they can write more effective iptables scripts themselves. However when you have more than 50 rules I bet these folks lose control of what their scripts do. Anyway, managing a rule set using drag and drop hasn't made me a "script kiddy". :) Regards Christoph -- ~ ~ ".signature" [Modified] 3 lines --100%-- 3,41 All
