[Gllug] Recommend an ADSL modem?

Ian Northeast ian at house-from-hell.demon.co.uk
Wed Jan 21 21:16:05 UTC 2004 

Tethys wrote:
> "Daniel P. Berrange" writes:
> 
> 
>>Would using OpenBSD as your firewall/router really that much
>>more advantageous than Debian ?
> 
> 
> Simple answer: yes. PF is light years ahead of iptables in terms of
> ease of use (and indeed capabilities, IIRC). That alone makes it
> worthwhile.

It's certainly easier to use and seems more logical to me. I'm not sure 
about the capabilities - I havn't hit a sufficiently complex requirement 
to challenge either of them. I use pf on an old P150 laptop here, with 
ethernet connection to the CM which avoids all the USB and DSL hassles.

> More complex answer: perhaps. There are rumoured to be various easy
> to use front ends that kick iptables into doing what you want, but
> I've never tried any of them, so I can't comment on whether they
> really make enough of a difference.

http://www.fwbuilder.org/ is pretty good. It's GPL, will generate rules 
for iptables, pf and a couple of others, has a GUI interface which is 
actually sensible and looks very much like Checkpoint Firewall-1's which 
makes it easy to switch between the two.

It does tend to crash a little but that doesn't really matter as it's 
only used to build the rules. I've never had it crash just before saving 
a complex set of changes (but once it did on the very next operation 
after doing so). It can be run on a separate machine to the firewall and 
the rules just copied over.

I'm using it to maintain what I consider to be an unpleasantly complex 
iptables firewall (1252 iptables commands). It would certainly not be 
easy to manually write an iptables script for this thing (although if I 
did it would probably be a bit shorter) but the fwbuilder rules only 
take up about two and a half screens.

The firewall itself BTW runs http://www.devil-linux.org/ which I also 
rather like. It runs from CD with the config on a floppy and uses the 
hard disk just for logs and such.

One front end I don't like is SuSE's. I put a modem on my workstation at 
work so I wanted a firewall - just a basic "everything out, everything 
from the LAN and nothing from the Internet in". I ran the SuSE config 
utility and it generated a horribly complex script hundreds of lines 
long which was very hard to check. I replaced it with about 10 lines. I 
don't know if the other distros' inbuilt firewall generators are any 
better but I doubt it.

Regards, Ian

-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug

More information about the GLLUG mailing list