Matt Shields wrote:
On Dec 31, 2007 7:58 AM, Robert Moskowitz <rgm@xxxxxxxxxxxxxxx> wrote:
Matt Shields wrote:
On Dec 31, 2007 12:13 AM, Robert Moskowitz <rgm@xxxxxxxxxxxxxxx> wrote:
Well FWbuilder is NOT easy. The documentation does not match the
current GUI. Now the box is locked up. I will have to pull it again,
hook it up to a kybd/VGA and reset iptables....
Maybe Shoreline with webmin....
Problem is I want a REAL router/firewall with little work. Both public
and private nets have routable addresses. No NATing for me! I just
help write the RFC ;) And all the templates for fwbuilder want you to
be using NATing.
Perhaps I should just set up another Astaro firewall. I have been using
Astaro since v3, so I am comfortable with it....
If you've ever used a Checkpoint firewall, FWBuilder is exactly like
that interface. It even comes with a module that will let you modify
Checkpoint firewalls.
I noticed the later, also a PIX module. No I have not personally needed
that costly of a firewall.
Full discloser time. My day job is with ICSAlabs. My area is security
protocols research (like setttin up the initial IPsec certification
criteria), but when I visit the labs there are all those firewall
products up and running.... So, yeah, I know checkpoint. I talk with the
gang over in the labs about 'simple' firewalls, but there are only
certain things the boss funds here. So then I have to go cheap.
If you're running a single firewall, then maybe FWBuilder isn't for
you, although it will do what you want. The real benefit of FWBuilder
is when you have more than one firewall in your network and you want
to use common objects to to simplify maintaining rules.
For example, the company I work for has 4 datacenters, plus a number
of leased servers (like Rackspace). At each of the datacenters we
have at least 1 pair of redundant firewalls. On all our firewalls we
have common rules to allow traffic from every other datacenter/server
that we own. So we define an object for each datacenter, the object
is a subnet. Then we define a group called datacenters which includes
all the previous subnets objects. Then when building a new firewall
we just include the same rule that says from datacenters allow all.
If we add a new datacenter or leased server, we add a new subnet
object and include it in the datacenter group. We then just recompile
and redeploy each of the firewalls without having to add anything to
the firewalls, because they already have the datacenter rule.
When you maintain a large network you really see the benefit of
FWBuilder. If you're running Windows there is a $50 license fee, but
for those people who are network admins but do not like Linux on the
desktop it's well worth the price for the Windows license.
I saw that about fwbuilder. Going to have to ask the crew back in the
labs about it.
But, yes. I 'run' a research facility out of my house. I have to pay the
electric bill, never convinced the boss to allow me to expense it; they
have bought some of my equip and pay for part of the ISP cost. So as a
lab, I have need for flexiblity, not replicatiblity. Also I might be at
a conference and need to get something up running on one of the
notebooks I travel with....
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
