On Fri, 21 Oct 2005 09:59:12 +0200 Guido Tschakert <[EMAIL PROTECTED]> spake:
> Kilaru Sambaiah wrote: > > Hello All, > > I am linux administrator and use iptables for firewall. I use > > shorewall, which you > > need to be setting up only policy based on your box is having one > > interface or > > two interfaces or three. Policy, zone, interfaces, rules these are all > > I need to edit. > > > > Is there any such tool for PF. I am not looking at GUI for generating > > rules. > > Hello Sam, > > fwbuilder is a GUI which "vomits" pf rules if you wish (and also > iptables and some other kind of firewalls). > It's easy to use, but the result is not ever ecactly what you want > (therefore i used "vomit"). > Its' nice to see what it produces with iptables and then what it > produces with pf (at this point it can help you to see the differences > between iptables rules and pf rules), but mostly it is better to edit > pf.conf directly. So you know exactly what your firewall rulez does. > > And btw: pf rules are much more readable then a set of iptable commands. > > So give it a try. I've been playing with fwbuilder for a few years with iptables and now PF... its been useful as far as selling some clients on *nix firewalls (I used to push linux systems as firewalls). The Cisco sales guy basically shows them printouts of iptables code and tells them if they want a linux firewall that what they have to learn. Of course iptables code is not exactly fun to follow compared to pf. I actually sat down with a prospective client and before I could say anything they said "nope we don't want it". When I found out why and showed them, they were a bit pissed at the cisco guy. Anyway, even if you definately want to go with the GUI, learn PF first and then look at the code output from fwbuilder. Once you understand how FWBuilder will output rules and have an understanding of how PF works best then getting the two to come together helps. That being said, you can only scratch the surface using Fwbuilder... QOS, Anchors, tables, etc... are not out yet in there. The next version from what I hear will be changing some other things. I've not done anything terribly large - most of my rule sets are under 100 rules... so the vomit part may be heading my way sometime soon. Actually the one thing I would not suggest doing is taking an existing fwbuilder iptables and switching it PF. It works with some tweaking, but the resulting rule set is a mess. Learn PF, start from scratch. In the end, learning and editing pf.conf by hand is the best way to go - its actually pretty easy. But if your alternative to a GUI like fwbuilder is getting some commerical over priced glossy POS - give it a whirl.
