Re: [tlug] *Small* NAT/DMZ/LAN h/w suggestions?

["Keith Bawden" <keith@example.com>]

> I have the same feeling of distrust toward generated config files, whether
> they are produced by a GUI or not, especially when it comes to security.  I
> totally understand your point of view that one needs to understand the output
> of such tools, and that they therefore may as well just write it themselves.
> I tried out various tools, however, and now use Shorewall for most of my
> firewall needs...

I'm not sure if I follow you here. You are saying you distrust these
tools and then you go on to say how great one of these tools is...

I see no issue with generating your firewall rules with a GUI or CLI
tool. If you are knowledgeable enough in iptables then you can simply
run iptables -L and inspect the rules that were generated. From there
you can use these rules as a base to tweak until your heart is
content, or leave them as is if you are satisfied with them...

On the other hand if you are not knowledgeable enough to audit the
rules generated you have a limited number of options. Trust the tool,
research/learn how to audit the rules, ask/pay someone else to audit
the generated rules for you, ask/pay someone to hand craft the rules
for you, or simply have no firewall...

In the end I still think that knocking up a box and throwing some hand
built system on their for a business "may" not be the best way to go.
Unless of course you are a consultant and are willing to support this
custom box/system for the business in question. After all their
business may rely on reliable network connectivity, and may need
support whilst you are at your normal day job...

I know Edward is more than capable of doing this. I'm just thinking of
this from a non-technical angle.

Regards, Keith