Hi all,
¿What iptables do you use to manage iptables? ¿Or maybe not?
Simply curiosity, so I'm coming from openSUSE and in that distro there is a YaST module front-end (YaST firewall).
TIA.
On 29/11/06, Jordi Espasa Clofent jordi.listas@multivia.com wrote:
Hi all,
¿What iptables do you use to manage iptables? ¿Or maybe not?
Simply curiosity, so I'm coming from openSUSE and in that distro there is a YaST module front-end (YaST firewall).
Our perimeter firewalls are appliances but I run a tailored copy of the bastion firewall script from the Linux Server Security book on every internal host too to provide another additional layer.
http://examples.oreilly.com/linuxss2/
Basically use their example as a template and tailor the incoming and outgoing traffic allowed for each type of host to *only* let them to do what they need.
Will.
On 11/29/06, Jordi Espasa Clofent jordi.listas@multivia.com wrote:
Hi all,
¿What iptables do you use to manage iptables? ¿Or maybe not?
Simply curiosity, so I'm coming from openSUSE and in that distro there is a YaST module front-end (YaST firewall).
A tiny package called quicktables allows me to set up a simple policy for a gateway, quickly and understandably. I will tailor it by hand later. I'm not much into dynamically changing policies, so quicktables does a very good job for me. Perhaps your scenario is different.
Quoting Jordi Espasa Clofent jordi.listas@multivia.com:
Hi all,
¿What iptables do you use to manage iptables? ¿Or maybe not?
Simply curiosity, so I'm coming from openSUSE and in that distro there is a YaST module front-end (YaST firewall).
There's this system-config-security-level GUI application that is part of distribution. However it provides only very very very basic functionality. You can only specify ports to open (and than all traffic on those ports is allowed, both incomming and forwarded), and select trusted interfaces (all traffic comming from them is allowed). It doesn't even support NAT (AFAIK). For very simple firewall it may suffice.
There are much better 3rd party GUI interfaces, ranging from simple (for managing single firewall), to medium (managing multiple firewalls, but each separately) to complex (for managing multiple firewalls (and everything else security related) by using high level abstractions). Some I can think of, in no particular order would be:
- fwbuilder: http://www.fwbuilder.org/ - firestarter: http://www.fs-security.com/ - integrated secure communications system: http://iscs.sourceforge.net/
And of course, if you are not affraid of command line, you can always use firewall editors such as ed, vi, emacs or any other fine tool available out there (there's too many to choose from).
I'm sure folks on the list will have many many more suggestions.
Greetings, Aleksandar.
29 ноября 2006 г., 20:09:25 you have wrote:
And of course, if you are not affraid of command line, you can always use firewall editors such as ed, vi, emacs or any other fine tool available out there (there's too many to choose from).
I'm sure folks on the list will have many many more suggestions.
I used to use Midnight Commander's internal editor to edit my firewall scripts. ;-)
The best possible flexibility can only be achieved when creating your firewall rules "by-hand".
Aleksandar Milivojevic escribió:
There's this system-config-security-level GUI application that is part of distribution. However it provides only very very very basic functionality. You can only specify ports to open (and than all traffic on those ports is allowed, both incomming and forwarded), and select trusted interfaces (all traffic comming from them is allowed). It doesn't even support NAT (AFAIK). For very simple firewall it may suffice.
There are much better 3rd party GUI interfaces, ranging from simple (for managing single firewall), to medium (managing multiple firewalls, but each separately) to complex (for managing multiple firewalls (and everything else security related) by using high level abstractions). Some I can think of, in no particular order would be:
- fwbuilder: http://www.fwbuilder.org/
- firestarter: http://www.fs-security.com/
- integrated secure communications system: http://iscs.sourceforge.net/
Yes. I already know the firt and the second. The third is new for me; I'll look into.
And of course, if you are not affraid of command line, you can always use firewall editors such as ed, vi, emacs or any other fine tool available out there (there's too many to choose from).
I totally agree with you. Before to use the friendly front-ends I learned about it with the classic way: man pages+shell editor (vi especially)
I'm sure folks on the list will have many many more suggestions.
Of course! All will be welcomed!
On Wednesday 29 November 2006 09:09, Aleksandar Milivojevic wrote:
I'm sure folks on the list will have many many more suggestions.
I guess this is where the obligatory BSD post comes in.
I personally think an enterprise distribution such as CentOS is a bit heavy for a firewall device (if indeed that's it's main purpose), an now use OpenBSD. I wouldn't necessarily recommend it as a server OS (and neither do some of the developers), but as a network device it really shines.
The pf firewall is easy and intuitive, and with utilities like pftop (to show stateful sessions realtime), load balancing capabilities, and pfsync to handle seamless firewall failover, it really lives up to the hype. sasync for stateful/seamless failover of ipsec VPN connections is a nice touch too.
It may not be the right fit for everyone (especially those that have very strict policies as to what usable hardware/software, but the small footprint and fact that everything I've mentioned so far is part of the OpenBSD OS proper and not a third party package lends a bit integration often missing in the linux world.
OK, that's enough OpenBSD talk. I really am a CentOS fan at heart, I promise.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Jordi Espasa Clofent wrote:
¿What iptables do you use to manage iptables? ¿Or maybe not?
I've heard of this simple utility from Dag's repo:
http://dag.wieers.com/home-made/dwall/
Max
Jordi Espasa Clofent musste am 29.11.2006 16:41 dies kund tun:
Hi all,
¿What iptables do you use to manage iptables? ¿Or maybe not?
Simply curiosity, so I'm coming from openSUSE and in that distro there is a YaST module front-end (YaST firewall).
TIA.
I use shorewall (http://www.shorewall.net). There is a RPM for it, I think it was in Dag's repo.
Greets René
-
Aleksandar Milivojevic -
Alexey Loukianov -
Eduardo Grosclaude -
Jordi Espasa Clofent -
Kevan Benson -
Max H. -
René Standfest -
Will McDonald