Matt Shields wrote: > On Dec 31, 2007 7:58 AM, Robert Moskowitz <rgm at htt-consult.com> wrote: > >> Matt Shields wrote: >> >>> On Dec 31, 2007 12:13 AM, Robert Moskowitz <rgm at htt-consult.com> wrote: >>> >>> >>>> Well FWbuilder is NOT easy. The documentation does not match the >>>> current GUI. Now the box is locked up. I will have to pull it again, >>>> hook it up to a kybd/VGA and reset iptables.... >>>> >>>> Maybe Shoreline with webmin.... >>>> >>>> Problem is I want a REAL router/firewall with little work. Both public >>>> and private nets have routable addresses. No NATing for me! I just >>>> help write the RFC ;) And all the templates for fwbuilder want you to >>>> be using NATing. >>>> >>>> Perhaps I should just set up another Astaro firewall. I have been using >>>> Astaro since v3, so I am comfortable with it.... >>>> >>>> >>>> >>> If you've ever used a Checkpoint firewall, FWBuilder is exactly like >>> that interface. It even comes with a module that will let you modify >>> Checkpoint firewalls. >>> >> I noticed the later, also a PIX module. No I have not personally needed >> that costly of a firewall. >> >> Full discloser time. My day job is with ICSAlabs. My area is security >> protocols research (like setttin up the initial IPsec certification >> criteria), but when I visit the labs there are all those firewall >> products up and running.... So, yeah, I know checkpoint. I talk with the >> gang over in the labs about 'simple' firewalls, but there are only >> certain things the boss funds here. So then I have to go cheap. >> >> > > If you're running a single firewall, then maybe FWBuilder isn't for > you, although it will do what you want. The real benefit of FWBuilder > is when you have more than one firewall in your network and you want > to use common objects to to simplify maintaining rules. > > For example, the company I work for has 4 datacenters, plus a number > of leased servers (like Rackspace). At each of the datacenters we > have at least 1 pair of redundant firewalls. On all our firewalls we > have common rules to allow traffic from every other datacenter/server > that we own. So we define an object for each datacenter, the object > is a subnet. Then we define a group called datacenters which includes > all the previous subnets objects. Then when building a new firewall > we just include the same rule that says from datacenters allow all. > > If we add a new datacenter or leased server, we add a new subnet > object and include it in the datacenter group. We then just recompile > and redeploy each of the firewalls without having to add anything to > the firewalls, because they already have the datacenter rule. > > When you maintain a large network you really see the benefit of > FWBuilder. If you're running Windows there is a $50 license fee, but > for those people who are network admins but do not like Linux on the > desktop it's well worth the price for the Windows license. I saw that about fwbuilder. Going to have to ask the crew back in the labs about it. But, yes. I 'run' a research facility out of my house. I have to pay the electric bill, never convinced the boss to allow me to expense it; they have bought some of my equip and pay for part of the ISP cost. So as a lab, I have need for flexiblity, not replicatiblity. Also I might be at a conference and need to get something up running on one of the notebooks I travel with....