1 |
I have been pretty happy with shorewall in general, because it makes moving |
2 |
rulesets between machines very easy. It also has very common sense syntax |
3 |
when narrowing rules to specific machines or specific subnets on an |
4 |
interface. |
5 |
|
6 |
Shorewall is a really awesome iptables init.d script that pulls data from |
7 |
several shorewall files that you hand edit. |
8 |
|
9 |
-Jonathan |
10 |
|
11 |
On Sunday 21 September 2003 10:11 am, Kurt Lieber wrote: |
12 |
> From a server perspective, I have never been very happy with the way Gentoo |
13 |
> handles iptables. If you're not familiar with the Gentoo/iptables |
14 |
> solution, it basically uses an 'iptables-save' script to save your current |
15 |
> ruleset each time you /etc/init.d/iptables stop and/or reboot the box. The |
16 |
> next time iptables is started, it uses that saved state. |
17 |
> |
18 |
> The reason I don't like this is because, often times when debugging, I'll |
19 |
> add a temporary iptables rule to see if that fixes the problem at hand. |
20 |
> Being human, I don't always remember to clean that rule out later. With |
21 |
> the current solution, this means that rule will always be there and will |
22 |
> survive reboots. |
23 |
> |
24 |
> Instead, I much prefer a solution where the box starts from a known set of |
25 |
> rules that are hard-coded. You can still add ad-hoc iptables rules as |
26 |
> needed, but when you reboot the box, you'll be back to a "known-good" |
27 |
> state. |
28 |
> |
29 |
> So, Andrea Barisani was kind enough to help write a new set of init scripts |
30 |
> and conf files that works this way. He and I have worked together to debug |
31 |
> them (though he's spent more time debugging my mistakes :) and I feel |
32 |
> pretty comfortable recommending them for production use. They're running |
33 |
> on three of Gentoo's infrastructure boxes and will soon be running on all |
34 |
> of them. |
35 |
> |
36 |
> Documentation: |
37 |
> http://www.gentoo.org/proj/en/infrastructure/firewall/server-firewall.xml |
38 |
> |
39 |
> Scripts: |
40 |
> http://dev.gentoo.org/~lcars/fw/ |
41 |
> |
42 |
> Note that those scripts do not make use of ulogd. If you're a ulogd user |
43 |
> like I am, some simple modifications to the init.d script will allow you to |
44 |
> use that instead of syslog. |
45 |
> |
46 |
> Comments, questions and feedback are welcome. I'd also like to thank |
47 |
> Andrea for his hard work in writing these scripts. |
48 |
> |
49 |
> --kurt |