Re: Iptables script

["Paul D. Robertson" <proberts () patriot net>]

On Wed, 30 Oct 2002, Luca Berra wrote:

> i just hate it: everybody and his dog has written an iptable firewall
> script. a search for iptables on freshmeat returns 98 hits.

I see this as a positive thing.  Lots of people are trying to secure their 
boxes and providing the tools they find make the task easier.

> there are some interesting things like ferm or filtergen that try to
> write a frontend which a less verbose interface (things you are probably
> not interested much in).
> i'd have two suggestions:
> 1) write your own, you will probably need to read some of them to get
> examples, but please, please when you are over do not put it on
> freshmeat, please.

Writing your own rules is different than writing your own script.  Having 
lots of choices is a good thing, even if it's a bit of work to go through 
them, as it ups the chances you'll find a still-maintained and supported 
option.  

Picking which tools to validate is, of course harder, but that's part of 
the game...

> 2) try shorewall (www.shorewall.net) which is a neat and well document front-end
> to iptables. you'll have to write your policy with it. but i would
> never trust my policy to a pre-made script.

I've had a few people recommend Firewall Builder[1] as a good "policies 
like a commercial firewall" type front-end too.

It's important to understand the rules generated, and to audit them for 
completeness.

Paul
[1] Never used it, but it lives at: http://www.fwbuilder.org/
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards