IWETHEY v. 0.3.0 | TODO
1,095 registered users | 0 active users | 0 LpH | Statistics
Login | Create New User
IWETHEY Banner

Welcome to IWETHEY!

New the hard way?
Have you considered [link|http://www.ipcop.org/modules.php?op=modload&name=phpWiki&file=index&pagename=IPCopMissionStatement|IP Cop] Seems like you're trying to make too much work for yourself.
Have fun,
Carl Forde
New Depends
The harshest criticism in my environment is reserved for people who pretend to be techies, but use tools that hide complex environments from them with pretty interfaces.

If you review this, [link|http://z.iwethey.org/forums/render/content/show?contentid=227484|http://z.iwethey.org...?contentid=227484], you will see one of our guiding principles for our organization is:

would like to have a bunch of smart cross-trained geeks running the place, rather then vendor focused silos of knowledge


A recent example was a dump of a GUI generate iptables rule-set. The jr admin was showing it, and was unable to explain what it was doing. Now this admin is smart, but inexeperienced HERE. He has a comp-sci degree, and has setup and adminned many Linux and Unix systems. He is also a deep-diver, usually reading up on great detail when researching something. In other places he may qualify for Sr admin, just not here, where we have someone else we call senior, who has far more experience than this guy.

Anyway, he was wrong when he explained it. When I read the ruleset, I made the exact same mistake, but figured it out a few lines later, since I don't pretend to know the syntax of IPTables.

If I am responsible for this particular bit of security - firewalling the DMZ, then I'm going to follow my requirements list. Works 1st, securely.

I can test "works". I can theorize "securely". But only if the low level rules are written by me, as simply as possible, as restrictive as possible. If I use a pretty front end, I have been abstracted from the implementation. An I have NO trust for writers of pretty front ends, since the focus is not the security, it is the pretty front end.

Some day I am going to be called to explain every aspect of the security up on a white board. I'm not allowed to say: IPCOP says it should be OK.
New Use FWBUILDER
It does netfilter, ipfilter, pix and others.

It ipwrites the config or script based on what you are using.

[link|http://www.fwbuilder.org|http://www.fwbuilder.org]
--
[link|mailto:greg@gregfolkert.net|greg],
[link|http://www.iwethey.org/ed_curry|REMEMBER ED CURRY!] @ iwethey
[image|http://www.danasoft.com/vipersig.jpg||||]
New Interesting
But only if I can figure out the what the scripts it is writing does.

Thanks.
New They are VERY... Exceptionally well done.
They whole scripts thing is easy.

I like it for being straight forward and easy to understand.

The iptables/netfilter stuff it does is stellar. I have only found one bug (it has been addressed) and it is a trival "rule fix" for making the rules. I haven't even cared to update to a revision that it is fixed in, it is a 4 second edit of the script to fix it myself.

But, then again I should.

Also, it can upload all the data/script and configs to the devices running the scripts, including "update services" for the firewall.

It uses "first rule match wins" logic for the GUI, but will write the script/ruleset/config the proper way for each type of firewall supported.

I haven't seen something this easy to use and manage a firewall, ever. Even the CISCO WINDOWS stuff comes no-where close.

It is straight forward, can handle anything to the limits of the Firewall device/OS/etc. Storing all the data in XML and a well documented XML schema.

I can setup a small example of the scripts for each and every device/filter it supports using the same ruleset just changing the device type. If you'd like.
--
[link|mailto:greg@gregfolkert.net|greg],
[link|http://www.iwethey.org/ed_curry|REMEMBER ED CURRY!] @ iwethey
[image|http://www.danasoft.com/vipersig.jpg||||]
New Initial glance looks like it want a library of service types
Do I need to define them (ftp, ssh, SQL/Net, etc) or is there something I can grab that I missed. I did an apt-get to setup.
New There are all the standard ones.
/me opens FWBUILDER

At the top, there is a "user" head, click on it and select the standard section.

Things are drag and drop. Make sure your understand NAT with Linux. NAT comes before the routing or allow/deny stage. So the rules in global have to have the NAT addresses for letting stuff in.

I can send you my *.fw I use. Just to show you an existing setup that works. I am a bit less anal than you will be. I'll send it to your TCD account.
--
[link|mailto:greg@gregfolkert.net|greg],
[link|http://www.iwethey.org/ed_curry|REMEMBER ED CURRY!] @ iwethey
[image|http://www.danasoft.com/vipersig.jpg||||]
New Thanks
Note: I'm not using NAT for this setup, all addresses to be specified are real.
I think!
     Home made firewall? - (broomberg) - (12)
         the hard way? - (cforde) - (7)
             Depends - (broomberg) - (6)
                 Use FWBUILDER - (folkert) - (5)
                     Interesting - (broomberg) - (4)
                         They are VERY... Exceptionally well done. - (folkert) - (3)
                             Initial glance looks like it want a library of service types - (broomberg) - (2)
                                 There are all the standard ones. - (folkert) - (1)
                                     Thanks - (broomberg)
         first, if they are in the DMZ they can talk to each other? - (boxley) - (3)
             DMZ yes, but need better isolation - (broomberg) - (2)
                 4 port Copper GIG cards are available. - (folkert) - (1)
                     But the intel only allows 2 per box - (broomberg)

And let's have a little taste of that old computer-generated... swagger... yes.
75 ms