On Dec 31, 2007 7:58 AM, Robert Moskowitz <rgm@xxxxxxxxxxxxxxx> wrote: > > Matt Shields wrote: > > On Dec 31, 2007 12:13 AM, Robert Moskowitz <rgm@xxxxxxxxxxxxxxx> wrote: > > > >> Well FWbuilder is NOT easy. The documentation does not match the > >> current GUI. Now the box is locked up. I will have to pull it again, > >> hook it up to a kybd/VGA and reset iptables.... > >> > >> Maybe Shoreline with webmin.... > >> > >> Problem is I want a REAL router/firewall with little work. Both public > >> and private nets have routable addresses. No NATing for me! I just > >> help write the RFC ;) And all the templates for fwbuilder want you to > >> be using NATing. > >> > >> Perhaps I should just set up another Astaro firewall. I have been using > >> Astaro since v3, so I am comfortable with it.... > >> > >> > > > > If you've ever used a Checkpoint firewall, FWBuilder is exactly like > > that interface. It even comes with a module that will let you modify > > Checkpoint firewalls. > I noticed the later, also a PIX module. No I have not personally needed > that costly of a firewall. > > Full discloser time. My day job is with ICSAlabs. My area is security > protocols research (like setttin up the initial IPsec certification > criteria), but when I visit the labs there are all those firewall > products up and running.... So, yeah, I know checkpoint. I talk with the > gang over in the labs about 'simple' firewalls, but there are only > certain things the boss funds here. So then I have to go cheap. > If you're running a single firewall, then maybe FWBuilder isn't for you, although it will do what you want. The real benefit of FWBuilder is when you have more than one firewall in your network and you want to use common objects to to simplify maintaining rules. For example, the company I work for has 4 datacenters, plus a number of leased servers (like Rackspace). At each of the datacenters we have at least 1 pair of redundant firewalls. On all our firewalls we have common rules to allow traffic from every other datacenter/server that we own. So we define an object for each datacenter, the object is a subnet. Then we define a group called datacenters which includes all the previous subnets objects. Then when building a new firewall we just include the same rule that says from datacenters allow all. If we add a new datacenter or leased server, we add a new subnet object and include it in the datacenter group. We then just recompile and redeploy each of the firewalls without having to add anything to the firewalls, because they already have the datacenter rule. When you maintain a large network you really see the benefit of FWBuilder. If you're running Windows there is a $50 license fee, but for those people who are network admins but do not like Linux on the desktop it's well worth the price for the Windows license. -- -matt _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos