* firewall iptables based ?
@ 2005-09-08 2:39 LinuXKiD
2005-09-08 2:59 ` /dev/rob0
2005-09-08 11:56 ` John A. Sullivan III
0 siblings, 2 replies; 3+ messages in thread
From: LinuXKiD @ 2005-09-08 2:39 UTC (permalink / raw)
To: netfilter
hi .. !
which open source firewall iptables based
you recommend ?
I've checked smoothwall and shoreline, but on
freshmeat.net I've see many more !
bests
andres
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: firewall iptables based ?
2005-09-08 2:39 firewall iptables based ? LinuXKiD
@ 2005-09-08 2:59 ` /dev/rob0
2005-09-08 11:56 ` John A. Sullivan III
1 sibling, 0 replies; 3+ messages in thread
From: /dev/rob0 @ 2005-09-08 2:59 UTC (permalink / raw)
To: netfilter
On Wednesday 2005-September-07 21:39, LinuXKiD wrote:
> which open source firewall iptables based
> you recommend ?
>
> I've checked smoothwall and shoreline, but on
> freshmeat.net I've see many more !
I have not seen one I really liked. I know Monmotha's is good; I used
that before I learned iptables(8) myself. But it and most others seem
far too complex for my liking.
Read and understand the Packet Filtering HOWTO (and NAT HOWTO if you
need NAT) and start with those examples. It's very simple and secure.
The real benefit is that you will understand WHY it's secure.
I used to have a fancy script which did a lot with little configuration
by the user, but it proved to be too much to maintain. Lately I am just
editing iptables-save(8) rules files for iptables-restore(8).
--
mail to this address is discarded unless "/dev/rob0"
or "not-spam" is in Subject: header
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: firewall iptables based ?
2005-09-08 2:39 firewall iptables based ? LinuXKiD
2005-09-08 2:59 ` /dev/rob0
@ 2005-09-08 11:56 ` John A. Sullivan III
1 sibling, 0 replies; 3+ messages in thread
From: John A. Sullivan III @ 2005-09-08 11:56 UTC (permalink / raw)
To: LinuXKiD; +Cc: netfilter
On Wed, 2005-09-07 at 23:39 -0300, LinuXKiD wrote:
> hi .. !
>
> which open source firewall iptables based
> you recommend ?
>
> I've checked smoothwall and shoreline, but on
> freshmeat.net I've see many more !
>
> bests
>
> andres
>
I'm not sure if you are looking for tools to configure your own hardware
device or whether you are looking for appliances.
On the appliance side, we have recently been doing quite a bit with the
CyberGuard Snapgear series. They are inexpensive and reasonably full
featured. We found some limitations when we tried doing some more
exotic functions. For example, although they are Linux based, the units
below the SG580 do not use a bash shell but rather the much more limited
sash shell. That created some major scripting problems for us.
We also found some of the functionality pretty seriously hacked. There
is no iptables-restore yet. There is iptables-batch but it only works
with the SG built-in rules. They do have FreeS/WAN but it is very
early, heavily modified version which lacks some important
functionality. However, to do what one normally does, they are
perfectly adequate and are, from what I understand, significant
contributors to the open source community.
We were surprised to see that 3Com's low end devices are Linux based.
We plan to get our hands on some and see how they measure up. I don't
know if anyone else on the list has experience with them.
I believe the WatchGuard line from the 500 series and above is Linux
based but I think they use a proprietary firewall and not iptables.
Astaro has been a great supporter of the community and does have their
software running on a Toshiba box, I believe. I heard generally good
things but have not used them.
If you are looking for software to help build your own hardware
firewall, I have traditionally used fwbuilder
(http://www.fwbuilder.org). Some prefer a less automated tool with more
granular control. I apologize to the gentleman who produced it but I've
forgotten its name again. There was a post a few months ago about a
very well received new tool that really did simply present a GUI to
create rules.
On the other extreme is the still uncompleted ISCS
(http://iscs.sourceforge.net). It has developed enough to create the
iptables rule sets but has yet to integrate routing, VPN and PKI and is
missing some editing functionality. It is designed for
enterprise/carrier class deployments or hundreds to tens of thousands of
users and tens to thousands of gateways. It is not a rule configurator.
Rather, one describes the security environment and ISCS creates
consistent rule sets for access control, NAT, VPN, and routing and
automatically deploys them to the enforcement devices. It is designed
for multiple, concurrent administrators to administer a global network
of security devices including networks with multiple commercial clients
(e.g., MSPs, ISPs).
Hope that helps - John
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@opensourcedevel.com
Financially sustainable open source development
http://www.opensourcedevel.com
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2005-09-08 11:56 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-09-08 2:39 firewall iptables based ? LinuXKiD
2005-09-08 2:59 ` /dev/rob0
2005-09-08 11:56 ` John A. Sullivan III
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox