On Sat, 2003-05-03 at 10:27, Paul wrote: > First off, my opinion on GUI firewalls, youre adding > more processes to a firewall then what is needed. A > true firewall should have the least amt of processes > installed/running on it all the time.
That's very true, but a good GUI like fwbuilder doesn't have to run on the fw itself - in fact it shouldn't. It can be run on your local machine, and the script that it generates can then be pushed out to the actual fw which doesn't need to have any additional stuff on it at all. In the case of fwbuilder, you can also use it to migrate relatively painlessly from one type of fw to another. Because the NAT and policy rules are stored by fwbuilder in its own XML format that's separate from the actual output script generated for whatever software your fw is running, you can take the same ruleset and output it for ipchains, or iptables, or whatever you need at the time. > What id suggest is make a really simple script like i > did. > its actually quite simple. In simple scenarios, yes, but thing's aren't always that easy. For eg, I manage a number of firewalls on our network using fwbuilder, and a little while ago I printed out the iptables script generated for one of them, and the script was 32 pages long. When you've got a network that's less trivial than a couple of boxes on a DSL connection, a good GUI can help you keep track of what's going where. Cheers Jonathan
