JD. Brown wrote:
Bottom line is this; How much are you willing to read and understand the SuSEfirewall2 or any other firewall?
Actually, SuSEfirewall2 is not a firewall at all; it is simply a tool to assist you in building and implementing a functioning firewall. The actual firewall is what is displayed when you run 'iptables -L'. So the bottom line is actually this: what do I need to do in order that 'iptables -l' will show me precisely what I want my firewall to do? No matter what method I choose to implement the set of rules I need, first I must come up with a coherent set of rules based on my particular needs. In this you are quite correct when you say "all firewalls need fine detail and understanding of networks." However, I fail to see what difference it makes if I use Yast, or if I use vi, to modify my SuSEfirewall2 config file. It is far more than simply "GUI or conf files" as you put it, because the GUI is simply another tool, and you cannot make any valid conf file changes with your favourite editor that you cannot also make in Yast. Neither one can help you to build a firewall except insofar as they allow you to make changes to a pre-existing configuration file. Whatever firewall you can come up is still bound within the limitations of that config file. I repeat my statement that SuSEfirewall can meet most modest firewall requirements, but for anything more complex you need something else. Perhaps you take issue with my use of the word "modest." It may put things in perspective for you to understand that I regard general relativity as a "modest" attempt at a theory of gravity. However, it has its limitations, just as SuSEfirewall2 has its limitations. If it did not, the author of the script that implements it (/sbin/SuSEfirewall2) would not have needed to allow for custom rules. If you really wish to understand SuSEfirewall2 you really do have to read the config file in conjunction with the implementing script. That script is incredibly complex, and necessarily so: SuSEfirewall2, like any good _tool_, tries to minimize the extra effort that will be needed by the maximum possible number of people. Emphasis here is on "min" and "max"; those do not, cannot, equate to "zero" and "all", because no tool can possibly anticipate every requirement. Let me repeat something which you seem to have missed or forgotten when you wrote the above: SuSEfirewall2 does a good job within its limitations. There is no question of "this or that firewall is better," because all that matters is whether or not you can use the _tool_ to design and implement the kind of firewall you need. Neither SuSEfirewall2 nor Shorewall are actual firewalls; they are, as I have stated, merely tools to assist the user in designing and implementing a firewall. In this regard, the only acceptable point of discussion is whether or not SuSEfirewall2 can meet all of your particular requirements; if it can, then by all means go ahead and use it. If not, then you need something else. Most people should not need something else, for otherwise the guy that wrote it would have wasted a lot of good work.