Re: [SLE] Firewall recomendation
On Thursday 24 November 2005 06:59, you wrote:
Sunny wrote:
Hi there,
I'm hunting for good firewall. What I need is precise control on per host base, i.e. I want to be able to control which host can comunicate with which over specific protocol, like:
host1 can accept ssh only from host3 only host2 can make http requests to host4, etc.
All this, combined with per zone rules :) and good user interface - either web, or console(text) for remote administration.
Any pointers?
Thanks
Try FirewallBuilder. It does what you want... http://www.fwbuilder.org/
Thanks, looks very impressive. -- Sunny
Hi, On Thursday 24 November 2005 05:18, Sunny wrote:
On Thursday 24 November 2005 06:59, you wrote:
Sunny wrote:
Hi there,
I'm hunting for good firewall. What I need is precise control on per host base, i.e. I want to be able to control which host can comunicate with which over specific protocol, like:
host1 can accept ssh only from host3 only host2 can make http requests to host4, etc.
All this, combined with per zone rules :) and good user interface - either web, or console(text) for remote administration.
Any pointers?
Thanks
Try FirewallBuilder. It does what you want... http://www.fwbuilder.org/
To the person who sent this suggestion to Sunny and not the list (!), could you tell us a couple of things: 1) Compare and contrast this tool to Guarddog. 2) Say something about whether it would interact poorly with Guarddog (<http://www.simonzone.com/software/guarddog/>) if both were used (not concurrently, of course) to configure a local firewall? Thanks Randall Schulz
Randall R Schulz wrote:
Hi,
On Thursday 24 November 2005 05:18, Sunny wrote:
On Thursday 24 November 2005 06:59, you wrote:
Sunny wrote:
Hi there,
I'm hunting for good firewall. What I need is precise control on per host base, i.e. I want to be able to control which host can comunicate with which over specific protocol, like:
host1 can accept ssh only from host3 only host2 can make http requests to host4, etc.
All this, combined with per zone rules :) and good user interface - either web, or console(text) for remote administration.
Any pointers?
Thanks
Try FirewallBuilder. It does what you want... http://www.fwbuilder.org/
To the person who sent this suggestion to Sunny and not the list (!), could you tell us a couple of things:
1) Compare and contrast this tool to Guarddog. 2) Say something about whether it would interact poorly with Guarddog (<http://www.simonzone.com/software/guarddog/>) if both were used (not concurrently, of course) to configure a local firewall?
Thanks
Randall Schulz
Hi Randall, You are right, and I apologize for not responding to the list directly. The problem is that every email sent to this list, comes with reply-to to the email sender, and we have to specifically fill another TO address. Sometimes i forget... Now, about your questions... Just remember that I am no iptables nor firewall guru so, others may help you more than I can. Now, about the Guarddog. I've compiled and ran the 2.4.0 and: It seems a nice tool but, i find it to much simpler and provided me with no extra tweaking, for example: - It doesn't allow you to redirect a certain port to a specific IP address. (I think its called forwarding) - You cannot have any rules, except full block or full allow for a specific port. - You cannot manage your rules by timeofday, day, etc... And there is a lot of other stuff. Check it out... This is my conclusion: If i wanted to just block ports to your my machine, i would use GuardDog. If i wanted extra stuff, which i do i would still use fwbuilder. About the second question, i think that is not a good idea for both of them to coexist. Hope it helps... -- Rui Santos http://www.ruisantos.com/
On Thursday 24 November 2005 11:25, Randall R Schulz wrote:
Try FirewallBuilder. It does what you want... http://www.fwbuilder.org/
To the person who sent this suggestion to Sunny and not the list (!), could you tell us a couple of things:
1) Compare and contrast this tool to Guarddog. 2) Say something about whether it would interact poorly with Guarddog (<http://www.simonzone.com/software/guarddog/>) if both were used (not concurrently, of course) to configure a local firewall?
Thanks
Randall Schulz
Actually, there is another one offlist message with the same suggestion. And ... looks like the problem with the default reply to person, not to list takes its tax. It takes time to remember always to change the reply. Or :) to use KMail and "L" :) Anyway, there is SuSE package for fwbuilder, and I just started to play with it. So far, the GUI is just perfect for the job. I do not know what will be the final result, but what I read on their site looks very good. Cheers -- Sunny
Hi, On Thursday 24 November 2005 09:25, Randall R Schulz wrote:
Hi,
...
Try FirewallBuilder. It does what you want... http://www.fwbuilder.org/
To the person who sent this suggestion to Sunny and not the list (!), could you tell us a couple of things:
1) Compare and contrast this tool to Guarddog. 2) Say something about whether it would interact poorly with Guarddog (<http://www.simonzone.com/software/guarddog/>) if both were used (not concurrently, of course) to configure a local firewall?
So I installed Firewall Builder and played around a bit. It appears to be fairly sophisticated and, in accordance with the request, allows fine-grained control on per-host, per-address, per-interface basis. In fact, once I made my way to actually viewing / editing a firewall definition, I was immediately reminded of the Checkpoint firewall definition / configuration front-end. My feeling based on a very brief look is that it's distinctly more powerful than Guarddog and probably commensurately harder to learn to use (and perhaps easier to get things wrong). It's also clearly oriented towards administrators of larger system (e.g., intranets of many hosts) more than for single-system / desktop users. Given my general proclivities, I'd have to say this is my kind of program -- I'm a detail guy / control freak... What I'd like from it (and I'm not saying it's not there, just that if it is, I haven't discovered it yet) is a way to read one of its firewall configurations from an existing iptables setup. In other words, I'd like to be able to segue from my existing iptables as generated by Guarddog to one managed by Firewall Builder without manually recreating my existing firewall setup from scratch in Firewall Builder. Ah, here it is. From the Firewall Builder FAQ (at <http://www.fwbuilder.org/archives/cat_faq.htm>): -==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==- <http://www.fwbuilder.org/archives/cat_faq.html#AEN363>: 3. Building firewall policy 3.1. Is there any way to import iptables (or ipfilter, pf, ipfw or PIX) rules to Firewall Builder? No, currently there is no way to import existing firewall configuration into Firewall Builder -==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==- That's too bad. Nonetheless, I'll probably continue to explore this program and switch to it when I have the time to study it further or a specific need to extend my existing firewall setup. Fortunately, my Guarddog setup isn't all that complex, so it's probably not an onerous task to move that definition over to Firewall Builder. Randall Schulz
On Thursday 24 November 2005 19:28, Randall R Schulz wrote:
So I installed Firewall Builder and played around a bit. It appears to be fairly sophisticated and, in accordance with the request, allows fine-grained control on per-host, per-address, per-interface basis. In fact, once I made my way to actually viewing / editing a firewall definition, I was immediately reminded of the Checkpoint firewall definition / configuration front-end.
My feeling based on a very brief look is that it's distinctly more powerful than Guarddog and probably commensurately harder to learn to use (and perhaps easier to get things wrong). It's also clearly oriented towards administrators of larger system (e.g., intranets of many hosts) more than for single-system / desktop users. Given my general proclivities, I'd have to say this is my kind of program -- I'm a detail guy / control freak...
What I'd like from it (and I'm not saying it's not there, just that if it is, I haven't discovered it yet) is a way to read one of its firewall configurations from an existing iptables setup. In other words, I'd like to be able to segue from my existing iptables as generated by Guarddog to one managed by Firewall Builder without manually recreating my existing firewall setup from scratch in Firewall Builder.
Randall Schulz
After using firewall builder for years on all kinds of firewalls, I still think it is simple the best there is (Including the mega-bucks systems). I highly suggest every one to give it a fair try. Unfortunately, during the big release (change to QT GUI kit), FWBuilder lost it's wizards. The new wizards are just not to the Newbie level yet. This unfortunate happenstance has introduced a learning curve, that was not there before. The Application has an artistic blend, of simplicity and configurerability built around a simple "You Get What You Want" design. By this I mean you do not think/define iptable-rules, but think/define what the system should do / allow. The program then generates commented iptable (and other firewall technology) scripts that you can run on any machine. There is a huge community following, with a lot of real-world (or are they out-of-this-world) firewall Gurus who actually check the generated scripts against definitions more complex than usefull. (IMHO) Please note that fwbuilder is not a firewall! ========================= It is a firewall builder. ============= It generates scripts which are then loaded onto the firewall boxes. This separation has both advantages and disadvantages: - As a plus, it has unbelievable flexibility. With the proper generation modules loaded, you can generate CISCO firewall scripts, and the same firewall as iptables scripts for a backup floppyfirewall / Linux and/or BSD system). Such flexibility not available anywhere else. (Not at any price!) - As a minus, the user interaction expected from modern windows firewalls (ie. a pop "Program XXX is attempting to access internet allow/deny change firewall rule"), is not possible in this configuration. It has a "design -> generate -> install" flow which is built into the basic concept. So my recommendation is FWBuilder for all firewalls (Including some firewall hardware boxes) for networks of all sizes. I have yet to see a linux workstation firewall ala Windows with dynamic rules via pop-ups, etc. So no recommendation Single workstation firewalls. Jerry P.S. No I am not in anyway or form related to the FWBuilder project, just extreemely impressed with the solution.
On Thursday 24 November 2005 19:28, Randall R Schulz wrot
So my recommendation is FWBuilder for all firewalls (Including some firewall hardware boxes) for networks of all sizes. I have yet to see a linux workstation firewall ala Windows with dynamic rules via pop-ups, etc. So no recommendation Single workstation firewalls.
There is one called firestarter for linux that is of the more dynamic type (ala ZoneAlarm for Windows). I looked at it but decided on Guarddog (in the past) and am now switching to FWBuilder. R.Parr, RHCE, Temporal Arts
participants (5)
-
Jerry Westrick -
Randall J. Parr -
Randall R Schulz -
Rui Santos -
Sunny