On 3 Jul 2005, Jakub Sporek wrote: > On Sun, 03 Jul 2005 05:07:02 +0200, Daniel Pittman <[EMAIL PROTECTED]> > wrote: > >> I found that 'firehol' was quite a surprise to me -- not only didn't it >> suck, it actually improved my hand-written firewall somewhat. > >> Unlike everything else, it doesn't tell you to fill in three values in a >> configuration file and expect to have a full firewall. All it does is >> help take the tedious bits out of writing an iptables firewall. > > I'd like to know what you think of shorewall? Is it good firewall or > should I switch to that firehol you write about?
I didn't like shorewall when I evaluated it, but not for reasons of security. Shorewall, like many firewall packages, gives you[1] a whole bunch of configuration options, which turn on or off features in the pre-packaged firewall you have. This tends to make it hard to do strange things like playing with DSCP tagging of packets, or deciding to use the 'uid' option to an iptables rule, or whatever. The recent ipt_recent protection against SSH, etc, brute force attacks is a good example of this sort of stuff. It also tends to encourage "shortcuts" in the firewall, like accepting any RELATED/ESTABLISHED packets, because each option in the configuration file is actually an "if" statement around a bit of hand crafted firewall.[2] These points may or may not apply to Shorewall - I didn't evaluate down to that level when I was looking at it, and things may have changed since. On the other hand, they do normally make it easier to have a "working" firewall in less time, and potentially with less understanding[3], than raw iptables, or firehol, demand. This doesn't really suit me, because I want to do occasional odd stuff, and because when I have evaluated the few tools that didn't restrict me too much I found that the generated firewall wasn't up to scratch. Shorewall was *NOT* one of the tools that I evaluated to the level of a generated firewall -- it didn't let me do some of the stuff I was doing already, so I didn't try it. Firehol, on the other hand, is a tool that makes it *easier* to write an iptables firewall by doing all the tedious work for you. Instead of writing out a hundred stanzas with a couple of changes, it lets the computer do all the hard work of turning ten lines into that hundred. For example, my current firewall has on the order of eight hundred individual iptables rules covering traffic through it. Writing that by hand would be ... impossible, or pretty close to it. On the other hand, my firewall also includes a handful of raw iptables level rules, because there were things that firehol *didn't* support when I last touched the configuration. Firehol suits me, personally, because it makes it easy to write a really good and secure firewall, because it takes the hard work out of iptables, but it still doesn't get in the way of doing, well, anything I want. > I have heared some opinions like "shorewall is bad" so I'm really > thinking of switching to something else. But I dont't know why... > noone was able to give me a good reason. All my reasons are personal taste, basically, and I certainly don't advise that you change your firewall tool on the basis of my personal taste. ;) Also, in general I don't recommend changing *anything* just because someone else tells you they don't like it -- and if they can't tell you *why*, it is just that they "don't like it." However, if you do want to consider another firewall tool, firehol is a good choice, in my opinion. OTOH, you may hate it with a passion, since your style of firewall building may be totally different from mine. Oh, and if you do use it, *do* use 'firehol try', which is one of the finest features of the package. :) Finally, a hint for anyone who read this far: for most configurations, the firewall is really quite static. It doesn't change based on anything other than you editing a file, and it /is/ pretty slow for a complex rules file. So, treat firehol like a compiler: run it when something changes, and use iptables-save(8) and friends at boot time to restore the rules. Viola, the low performance is something that doesn't bother you much of the time. Daniel Footnotes: [1] So far as I can tell. I have not looked in, oh, a year or so, so things may be dramatically different these days. [2] I don't know if shorewall actually works like this, or more like firehol internally, but all the other [3] This is not to say that using Shorewall is a sign that you are a bad, or ignorant, administrator, by any stretch of the imagination. -- Our undisciplinables are our proudest product... Let us hope our output of them will never cease. -- William James -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]