Depends

Post #227,576 by broomberg 10/2/05 8:39:22 AM Reply	Depends The harshest criticism in my environment is reserved for people who pretend to be techies, but use tools that hide complex environments from them with pretty interfaces. If you review this, [link\|http://z.iwethey.org/forums/render/content/show?contentid=227484\|http://z.iwethey.org...?contentid=227484], you will see one of our guiding principles for our organization is: would like to have a bunch of smart cross-trained geeks running the place, rather then vendor focused silos of knowledge A recent example was a dump of a GUI generate iptables rule-set. The jr admin was showing it, and was unable to explain what it was doing. Now this admin is smart, but inexeperienced HERE. He has a comp-sci degree, and has setup and adminned many Linux and Unix systems. He is also a deep-diver, usually reading up on great detail when researching something. In other places he may qualify for Sr admin, just not here, where we have someone else we call senior, who has far more experience than this guy. Anyway, he was wrong when he explained it. When I read the ruleset, I made the exact same mistake, but figured it out a few lines later, since I don't pretend to know the syntax of IPTables. If I am responsible for this particular bit of security - firewalling the DMZ, then I'm going to follow my requirements list. Works 1st, securely. I can test "works". I can theorize "securely". But only if the low level rules are written by me, as simply as possible, as restrictive as possible. If I use a pretty front end, I have been abstracted from the implementation. An I have NO trust for writers of pretty front ends, since the focus is not the security, it is the pretty front end. Some day I am going to be called to explain every aspect of the security up on a white board. I'm not allowed to say: IPCOP says it should be OK.
Post #227,647 by folkert 10/2/05 9:47:48 PM Reply	Use FWBUILDER It does netfilter, ipfilter, pix and others. It ipwrites the config or script based on what you are using. [link\|http://www.fwbuilder.org\|http://www.fwbuilder.org] -- [link\|mailto:greg@gregfolkert.net\|greg], [link\|http://www.iwethey.org/ed_curry\|REMEMBER ED CURRY!] @ *i_wethey* [image\|http://www.danasoft.com/vipersig.jpg\|\|\|\|]
Post #227,649 by broomberg 10/2/05 10:25:08 PM Reply	Interesting But only if I can figure out the what the scripts it is writing does. Thanks.
Post #227,716 by folkert 10/3/05 10:39:40 AM Reply	They are VERY... Exceptionally well done. They whole scripts thing is easy. I like it for being straight forward and easy to understand. The iptables/netfilter stuff it does is stellar. I have only found one bug (it has been addressed) and it is a trival "rule fix" for making the rules. I haven't even cared to update to a revision that it is fixed in, it is a 4 second edit of the script to fix it myself. But, then again I should. Also, it can upload all the data/script and configs to the devices running the scripts, including "update services" for the firewall. It uses "first rule match wins" logic for the GUI, but will write the script/ruleset/config the proper way for each type of firewall supported. I haven't seen something this easy to use and manage a firewall, ever. Even the CISCO WINDOWS stuff comes no-where close. It is straight forward, can handle anything to the limits of the Firewall device/OS/etc. Storing all the data in XML and a well documented XML schema. I can setup a small example of the scripts for each and every device/filter it supports using the same ruleset just changing the device type. If you'd like. -- [link\|mailto:greg@gregfolkert.net\|greg], [link\|http://www.iwethey.org/ed_curry\|REMEMBER ED CURRY!] @ *i_wethey* [image\|http://www.danasoft.com/vipersig.jpg\|\|\|\|]
Post #227,723 by broomberg 10/3/05 10:59:43 AM Reply	Initial glance looks like it want a library of service types Do I need to define them (ftp, ssh, SQL/Net, etc) or is there something I can grab that I missed. I did an apt-get to setup.
Post #227,729 by folkert 10/3/05 11:21:37 AM Reply	There are all the standard ones. /me opens FWBUILDER At the top, there is a "user" head, click on it and select the standard section. Things are drag and drop. Make sure your understand NAT with Linux. NAT comes before the routing or allow/deny stage. So the rules in global have to have the NAT addresses for letting stuff in. I can send you my .fw I use. Just to show you an existing setup that works. I am a bit less anal than you will be. I'll send it to your TCD account. -- [link\|mailto:greg@gregfolkert.net\|greg], [link\|http://www.iwethey.org/ed_curry\|REMEMBER ED CURRY!] @ i_wethey* [image\|http://www.danasoft.com/vipersig.jpg\|\|\|\|]
Post #227,730 by broomberg 10/3/05 11:27:42 AM Reply	Thanks Note: I'm not using NAT for this setup, all addresses to be specified are real. I think!

Welcome to IWETHEY!