Probably preaching to the choir here, but... On Thu, 12 Dec 2002 12:09:42 CST Try Aden wrote:
> Thanks for the feedback. We have been using FloppyFW for 2 years now. > It is hard for me to do an objective comparison of the two packages > because I have been personally using Eigerstein, Dachstein and now > Bering. So I have grown very accustomed and comfortable to the way > it is structured. I am trying to convince our head sysadmin to switch > from FloppyFW to Bering /w shorewall 1.3.10. With no success. (sigh) Thank you for your comments. I have never used FloppyFW, so it is interesting to hear a comparison from someone who has. > Here are the "advantages" of FloppyFW. > - you can edit your firewall rules with a Unix text editor on > your windows box. (something like NoteTab lite.) You could do the same with LEAF variants. Is the difference that the firewall rules are stored uncompressed on the boot media? > - Some would see the "building your own ruleset" as an advantage. > I do not. I prefer to have a tested and proven ruleset to start > with and then change it as I see fit. Bering comes with shorewall by default, but shorewall (and iptables in recent versions) is a package that can be replaced with your favorite firewall configuration or scripts. I think shorewall is elegant and powerful, and it fits my needs nicely. For those that need something else there's nothing stopping them. > - Virtually all editing and configuration of FloppyFW can be > done with the text editor mentioned above. Because all of the > configs are kept as a series of .ini files. While it's usually easier to edit LEAF config files in-place, they are all plain-text and can be edited in any text editor. There are several ways to transfer them back-and-forth between the firewall and an external host if you need to. Seems like editing them off the firewall (for both LEAF variants and FloppyFW) would actually be a bigger hassle then editing them in-place. The one exception I can think of is for initial configuration when you're making lots of edits and may want to script them. tar, gz and text manipulation tools are available for just about every platform under the sun. If your volume of installs warrants scripting, you should be able to do it on any platform you want. > - FloppyFW is a firewall. No more. No less. The packages > available for it are very limited. If all you want is a firewall, remove weblet.lrp, dnscache.lrp, tinydns.lrp, and any other programs you don't want from the LRP parameter in syslinux.cfg. If you're paranoid, remove the unused packages from the boot media too. > The disadvantages are as follows: > - It uses an older version of iptables. Floppy-FW uses 1.2.5 > shorewall uses 1.2.6a > - You can't stop|start|restart the firewall without rebooting > the box. Ugh!!! That seems like it would be a nightmare on a dynamic network. Restarting shorewall doesn't kill masqueraded connections, but a reboot definitely would. Ouch. > - When the firewall loads the rules. The rules scroll by very > quickly and you can't use shift-page-up to backup and see what > went wrong. It only goes about two screens up. > - If there is a dnscache app for FloppyFW I have not seen it. > (The packages available are very limited.) > > I would have to concede that our sysadmin is right when he > says that FloppyFW is working for us so there is no reason > to change. But I was hoping that we could migrate to a > package that is "in my opinion" far better. I guess I will > have to wait until we require IPSEC to make my move and > propose Bering /w shorewall again. I was hoping that someone > on the list could provide me with some irrefutable evidence > that moving from FloppyFW to Bering is a prudent move. But > I guess you are right. It must just come down to preference. > > If anyone has anything to add to this please let me know. Another potential benefits of Bering is the grsecurity patch compiled into the default kernel. That said, if FloppyFW suits your company's needs and the admins there understand how to properly use it, the case for changing is probably weak. --Brad ------------------------------------------------------- This sf.net email is sponsored by: With Great Power, Comes Great Responsibility Learn to use your power at OSDN's High Performance Computing Channel http://hpc.devchannel.org/ ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
