[CentOS] Firewall frustration

Matt Shields mattboston at gmail.com
Mon Dec 31 18:38:39 UTC 2007


On Dec 31, 2007 7:58 AM, Robert Moskowitz <rgm at htt-consult.com> wrote:
>
> Matt Shields wrote:
> > On Dec 31, 2007 12:13 AM, Robert Moskowitz <rgm at htt-consult.com> wrote:
> >
> >> Well FWbuilder is NOT easy.  The documentation does not match the
> >> current GUI.  Now the box is locked up.  I will have to pull it again,
> >> hook it up to a kybd/VGA and reset iptables....
> >>
> >> Maybe Shoreline with webmin....
> >>
> >> Problem is I want a REAL router/firewall with little work.  Both public
> >> and private nets have routable addresses.  No NATing for me!  I just
> >> help write the RFC ;)  And all the templates for fwbuilder want you to
> >> be using NATing.
> >>
> >> Perhaps I should just set up another Astaro firewall.  I have been using
> >> Astaro since v3, so I am comfortable with it....
> >>
> >>
> >
> > If you've ever used a Checkpoint firewall, FWBuilder is exactly like
> > that interface.  It even comes with a module that will let you modify
> > Checkpoint firewalls.
> I noticed the later, also a PIX module. No I have not personally needed
> that costly of a firewall.
>
> Full discloser time. My day job is with ICSAlabs. My area is security
> protocols research (like setttin up the initial IPsec certification
> criteria), but when I visit the labs there are all those firewall
> products up and running.... So, yeah, I know checkpoint. I talk with the
> gang over in the labs about 'simple' firewalls, but there are only
> certain things the boss funds here. So then I have to go cheap.
>

If you're running a single firewall, then maybe FWBuilder isn't for
you, although it will do what you want.  The real benefit of FWBuilder
is when you have more than one firewall in your network and you want
to use common objects to to simplify maintaining rules.

For example, the company I work for has 4 datacenters, plus a number
of leased servers (like Rackspace).  At each of the datacenters we
have at least 1 pair of redundant firewalls.  On all our firewalls we
have common rules to allow traffic from every other datacenter/server
that we own.  So we define an object for each datacenter, the object
is a subnet.  Then we define a group called datacenters which includes
all the previous subnets objects.  Then when building a new firewall
we just include the same rule that says from datacenters allow all.

If we add a new datacenter or leased server, we add a new subnet
object and include it in the datacenter group.  We then just recompile
and redeploy each of the firewalls without having to add anything to
the firewalls, because they already have the datacenter rule.

When you maintain a large network you really see the benefit of
FWBuilder.  If you're running Windows there is a $50 license fee, but
for those people who are network admins but do not like Linux on the
desktop it's well worth the price for the Windows license.

-- 
-matt



More information about the CentOS mailing list