Mailing List Archive
tlug.jp
Mailing List
tlug archive
tlug Mailing List Archive
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [tlug] *Small* NAT/DMZ/LAN h/w suggestions?
- Date: Thu, 31 May 2007 07:54:25 +0900
- From: tlug@example.com
- Subject: Re: [tlug] *Small* NAT/DMZ/LAN h/w suggestions?
- References: <20070529050750.GC1793@P2> <f118b8b90705300124o11c72a0duc31e748e5c4182e4@mail.gmail.com> <20070530134321.GF1793@P2>
- User-agent: KMail/1.9.1
2007-05-30 (水曜日) 22:43、Edward Wright さんは書きました: > Thanks for your concern. Actually I have used iptables, ipchains and > (if I remember the name right) ipfwadm before that. <SNIP> > Ipcop and smoothwall may be great programs, but I have an inate > distrust of GUI and/or web based config tools. Especially where > security is concerned, I would really want to know what they are > doing. And by the time I figured that out, I might as well have done > it myself, methinks. (Arguably, you're making a decision to trust > someone at some point......) I have the same feeling of distrust toward generated config files, whether they are produced by a GUI or not, especially when it comes to security. I totally understand your point of view that one needs to understand the output of such tools, and that they therefore may as well just write it themselves. I tried out various tools, however, and now use Shorewall for most of my firewall needs... One of the main reasons that I use Shorewall is that it seems more efficient. As with programming or writing markup such as CSS, there are major benefits to be gained by abstracting common ideas. A big sign of poorly written code is repeated lines. iptables rules are directly processed by the system and are therefore analogous to compiled bytecode, while systems like Shorewall are analogous to higher level languages. For example, my home LAN has four zones with different levels of trust. Each zone has unique settings of course, but there are still common rules as well as rules for how each zone can interact with each other. Using Shorewall allows me to specify the rules very succinctly, which makes it more easy to maintain. Another example is my laptop, where the firewall has to deal with wifi, eth0 (as well as aliases for serving on more than one IP within trusted networks), and virtual interfaces created for virtual machines. I have found that Shorewall saves me a *lot* of trouble, and I can always inspect the output rules when I am feeling paranoid. To anyone who writes their own iptables rules but is interested in trying out a higher level utility, I would recommend Shorewall as a good candidate. I will include links to the homepage and documentation below. After starting the service, be sure to run `iptables -L` and inspect the output. If nothing else, you may learn some new tricks to include in your own rules; I sure did. Cheers, Travis http://www.shorewall.net/ http://www.shorewall.net/shorewall_setup_guide.htm http://www.shorewall.net/shorewall_quickstart_guide.htm http://www.shorewall.net/XenMyWay-Routed.html http://www.shorewall.net/Documentation.html
- Follow-Ups:
- Re: [tlug] *Small* NAT/DMZ/LAN h/w suggestions?
- From: Keith Bawden
- Re: [tlug] *Small* NAT/DMZ/LAN h/w suggestions?
- References:
- [tlug] *Small* NAT/DMZ/LAN h/w suggestions?
- From: Edward Wright
- Re: [tlug] *Small* NAT/DMZ/LAN h/w suggestions?
- From: Keith Bawden
- Re: [tlug] *Small* NAT/DMZ/LAN h/w suggestions?
- From: Edward Wright
- [tlug] *Small* NAT/DMZ/LAN h/w suggestions?
- Prev by Date: Re: [tlug] *Small* NAT/DMZ/LAN h/w suggestions?
- Next by Date: Re: [tlug] *Small* NAT/DMZ/LAN h/w suggestions?
- Previous by thread: Re: [tlug] *Small* NAT/DMZ/LAN h/w suggestions?
- Next by thread: Re: [tlug] *Small* NAT/DMZ/LAN h/w suggestions?
- Index(es):
| Home Page | Mailing List | Linux and Japan | TLUG Members | Links |