Matt Shields wrote:
On Dec 31, 2007 7:58 AM, Robert Moskowitz rgm@htt-consult.com wrote:
Matt Shields wrote:
On Dec 31, 2007 12:13 AM, Robert Moskowitz rgm@htt-consult.com wrote:
Well FWbuilder is NOT easy. The documentation does not match the current GUI. Now the box is locked up. I will have to pull it again, hook it up to a kybd/VGA and reset iptables....
Maybe Shoreline with webmin....
Problem is I want a REAL router/firewall with little work. Both public and private nets have routable addresses. No NATing for me! I just help write the RFC ;) And all the templates for fwbuilder want you to be using NATing.
Perhaps I should just set up another Astaro firewall. I have been using Astaro since v3, so I am comfortable with it....
If you've ever used a Checkpoint firewall, FWBuilder is exactly like that interface. It even comes with a module that will let you modify Checkpoint firewalls.
I noticed the later, also a PIX module. No I have not personally needed that costly of a firewall.
Full discloser time. My day job is with ICSAlabs. My area is security protocols research (like setttin up the initial IPsec certification criteria), but when I visit the labs there are all those firewall products up and running.... So, yeah, I know checkpoint. I talk with the gang over in the labs about 'simple' firewalls, but there are only certain things the boss funds here. So then I have to go cheap.
If you're running a single firewall, then maybe FWBuilder isn't for you, although it will do what you want. The real benefit of FWBuilder is when you have more than one firewall in your network and you want to use common objects to to simplify maintaining rules.
For example, the company I work for has 4 datacenters, plus a number of leased servers (like Rackspace). At each of the datacenters we have at least 1 pair of redundant firewalls. On all our firewalls we have common rules to allow traffic from every other datacenter/server that we own. So we define an object for each datacenter, the object is a subnet. Then we define a group called datacenters which includes all the previous subnets objects. Then when building a new firewall we just include the same rule that says from datacenters allow all.
If we add a new datacenter or leased server, we add a new subnet object and include it in the datacenter group. We then just recompile and redeploy each of the firewalls without having to add anything to the firewalls, because they already have the datacenter rule.
When you maintain a large network you really see the benefit of FWBuilder. If you're running Windows there is a $50 license fee, but for those people who are network admins but do not like Linux on the desktop it's well worth the price for the Windows license.
I saw that about fwbuilder. Going to have to ask the crew back in the labs about it.
But, yes. I 'run' a research facility out of my house. I have to pay the electric bill, never convinced the boss to allow me to expense it; they have bought some of my equip and pay for part of the ISP cost. So as a lab, I have need for flexiblity, not replicatiblity. Also I might be at a conference and need to get something up running on one of the notebooks I travel with....