Re: [tlug] iptables - Tools for easy configuration

["Josh Glover" <jmglov@example.com>]

On 02/07/07, emiddleton@example.com
<emiddleton@example.com> wrote:

> Josh Glover wrote:
>
> > On 01/07/07, Pietro Zuco <drzuco@example.com> wrote:
> >
> >> That's what I wanted to avoid...
> >> I strongly disagree with iptables front-ends, tools or whatever.
> >
> > Why? They output a ruleset that you can tweak to your heart's content.
>
> Not if you have only used the GUI tools and don't understand the details
> of how iptable works.

But that is why I think Pietro's topic is ideal for a Lightning talk.
You can explain the basics of iptables / netfilter in five minutes,
and demo a basic firewall in another five.

Once you get beyond the "Deny All, Allow This, That, and The Other"
model, writing iptables firewalls by hand gets rapidly unmaintainable.
That is why Pietro has his toolbox of scripts and you have yours.

I'd rather we use a common toolbox, to benefit from peer review.

>  It is like say you don't need to learn to use a
> console because we have GUI's.

Not at all; traditional GUIs reduce your flexibility, not increase it.

For example, MS PowerPoint 97 is a traditional, HWS[1] GUI. You can
only do what the GUI allows. OpenOffice 2.0 Impress, OTOH, is a new,
hacker-compatible GUI. I can build my presentation with the GUI, then
go in and tweak the XML if I need to make small alterations.

The iptables GUI wrapper tools that I have seen almost all have an
option to simply output the ruleset, and if they don't, use this
pattern:

sudo firestarter &
sudo /etc/init.d/iptables save
sudo vim /var/lib/iptables/rules-save
sudo /etc/init.d/iptables reload
sudo /etc/init.d/iptables save

* Your distro may make this harder than Gentoo does. Consider
switching to a hacker's Linux! ;)

Cheers,
Josh

[1] Hood Welded Shut