> -----Original Message----- > From: Eli Billauer [mailto:[EMAIL PROTECTED] [snip] > >Solution: Use the distribution's configuration files for > interfaces, ans shorewall (www.shorewall.net) for firewall > rules. It simplifies thing to great extents. [snip] > Simplifies? It may be that these guys are bad in documentation, but > after a first glance on their "Setup guide", there's nothing simple > about it. They have a similar way to define the zones, yes, > but that's > as close as they get to what I had in mind.
Oh yes, it simplifys, you just have to RTFM a little to learn the idea behind the zones, interfaces etc. First the zone file defines what your zones are, regardless of interface or IP. My zones are WAN, LAN, VPN and WLAN, for instance. Then the interfaces file defines binds an interface to a zone in a 1-to-many relationship. If you want to have exceptions, you can use the hosts file. Be careful, it's dangerous. The policy and rules define policies and rules regarding zones. Which interfaces? Who cares? We are dealing with zones now. That's about it. No more thinking about all your address ranges when configuring your firewall. You can if you want to. > What I meant was being able to use almost natural language to > describe > the network and its rules. Something like "I have a group of hosts > connected to eth0, I have another group on eth1, and I want the first > group be clients on port 80 of the second group". Sorry, but I believe that the almost-natural language will soon become a heap of unmanagable rules. I believe in the shorewall way of putting every sort of definition in its own file. > "Intuitive", as I define it, is when a simple example is enough to > explain how to use a system, and when a newbie tries things out, they > work as expected. I thought shorewall was like that. It took 1/2 an hour to configure to be a simple router, and an hour more to actually have some useful rules, without prior knowledge. For a firewall, I call that sensational. -- Arik ********************************************************************** This email and attachments have been scanned for potential proprietary or sensitive information leakage. PortAuthority(TM) Server Keeping Information Inside Vidius, Inc. www.vidius.com ********************************************************************** ================================================================To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
