On 12/24/2012 09:48:17 AM, Brian J. Murrell wrote: > On 12-12-23 12:27 PM, Karl O. Pinc wrote: > > > > Shorewall is good, but I tend to prefer ferm. > > Ferm looks neat. But does it complete the trifecta of filtering, > multi-wan management and QoS or does it only handle filtering at the > moment?
ferm is strictly syntactic sugar for iptables, so it will only do what iptables does. You (often) need to know what the iptables modules do in order to use ferm. (Understand what you are doing! Accept no substitutes! ;-) So, you can use ferm and the classify module to feed packets into specific CBQ classes, but you need to configure the queues yourself some other way. (CBQ.init? I have no experience on which to base a recommendation.) I don't know what "multi-wan management" is (if not routing and (S)NAT/MASQUERADE/etc.). ferm won't do routing or interface configuration or dhcp or configure dns caching/forwarding or any of that, but will do all the iptables packet mangling you care to. > One thing I do like about Shorewall (but which I was willing to give > up > in trade for using all native-openwrt services for filtering, > multi-wan > management and QoS) is the Shorewall->Shorewall-lite remote facility. ferm outputs iptables. You can install the resulting rules anywhere. (Assuming you write rules compatible with the target system.) It also comes with the usual stuff that helps keep you from firewalling yourself out of your box -- try this out but discard in 30 seconds unless I say otherwise -- but that only works if you use ferm on the box in question. ferm's just perl, so as long as you've perl installed there's little overhead. The thing I like about firm is that it's readable, hence understandable/usable. It does not substitute for understanding iptables, but nothing really does. Regards, Karl <[email protected]> Free Software: "You don't pay back, you pay forward." -- Robert A. Heinlein _______________________________________________ openwrt-users mailing list [email protected] https://lists.openwrt.org/mailman/listinfo/openwrt-users
