Mailing List Archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [tlug] *Small* NAT/DMZ/LAN h/w suggestions?

2007-05-30 (水曜日) 22:43、Edward Wright さんは書きました:
> Thanks for your concern. Actually I have used iptables, ipchains and
> (if I remember the name right) ipfwadm before that.
> Ipcop and smoothwall may be great programs, but I have an inate
> distrust of GUI and/or web based config tools. Especially where
> security is concerned, I would really want to know what they are
> doing. And by the time I figured that out, I might as well have done
> it myself, methinks. (Arguably, you're making a decision to trust
> someone at some point......)

I have the same feeling of distrust toward generated config files, whether 
they are produced by a GUI or not, especially when it comes to security.  I 
totally understand your point of view that one needs to understand the output 
of such tools, and that they therefore may as well just write it themselves.  
I tried out various tools, however, and now use Shorewall for most of my 
firewall needs...

One of the main reasons that I use Shorewall is that it seems more efficient.  
As with programming or writing markup such as CSS, there are major benefits 
to be gained by abstracting common ideas.  A big sign of poorly written code 
is repeated lines.  iptables rules are directly processed by the system and 
are therefore analogous to compiled bytecode, while systems like Shorewall 
are analogous to higher level languages.  For example, my home LAN has four 
zones with different levels of trust.  Each zone has unique settings of 
course, but there are still common rules as well as rules for how each zone 
can interact with each other.  Using Shorewall allows me to specify the rules 
very succinctly, which makes it more easy to maintain.  Another example is my 
laptop, where the firewall has to deal with wifi, eth0 (as well as aliases 
for serving on more than one IP within trusted networks), and virtual 
interfaces created for virtual machines.  I have found that Shorewall saves 
me a *lot* of trouble, and I can always inspect the output rules when I am 
feeling paranoid.

To anyone who writes their own iptables rules but is interested in trying out 
a higher level utility, I would recommend Shorewall as a good candidate.  I 
will include links to the homepage and documentation below.  After starting 
the service, be sure to run `iptables -L` and inspect the output.  If nothing 
else, you may learn some new tricks to include in your own rules; I sure did.

Cheers, Travis

Home | Main Index | Thread Index

Home Page Mailing List Linux and Japan TLUG Members Links