Domain: fwbuilder.org
Stories and comments across the archive that link to fwbuilder.org.
Comments · 25
-
Re:Ubuntu advertises a lot but sucks
You go to the little square on the bottom left with a K on it.
You press it with your mouse and a menu pops up like a restaurant except this one has a search box unlike Wendy's. You can either type firewall into it, type yast into it, or navigate to Yast in the menu until you find one that says Yast.
Open Yast and it prompts you for the root password to access system configuration.
Click Security then Firewall and check the bubble that says start automatically.
If not already running click the box to start it, if already running just click Next/Next/Next and done.Sorry, that doesn't cover what I requested, you have failed the task, completely.
If you think you are being cute by asking how to configure a star topology network of beowulf clustered Google datacenters you're exactly the type of dickhead that uses Ubuntu.
Believe it or not, I actually do have two Internet connections in my house, if this was a datacentre, I'd have some fancy router instead of a random Linux box sitting under my desk with a bunch of manually written iptable rules that I struggle with each time.
I didn't even go to the extent of requesting the uPnP crap for each Internet Connection, or mention the amprnet vlan with it's amprnet gateway configuration; which was such a headache for me to figure out how to integrate into this.
Opensuse has a great community and literally everything runs on it.
Literally everything runs on major Linux distributions too, you're not making a convincing argument.
I'm waiting for the ease of use that genuinely matters, being able to turn on and off a firewall in a GUI has literally been in most distros for years, it's so old, you can find it in the first versions of Mandrake and Coral Linux. It's upsetting that after all this time, Yast's Firewall module still doesn't compare to Firewall Builder's usability, reconfigurability and flexibility, then you tout a shoddy GUI in comparison that is less flexible and less user friendly (it doesn't even have a user friendly wizard). Sorry, but feck off with your late 90s technology, it's clear you're living in the past and have no vision for the future nor even an understanding of the technologies that are currently even out there.
-
Re:This has been discussed for so long...
-
Re:Bad GUI and no CLI: way too common
I don't know. I have seen GUI generated firewall rules(PF). And for a learning process, I think it would a hell of alot easier than how I learned to build the rules. Especially sense these rules are built specifically for what your environment is. And not a text book example.
I still prefer building the firewall rules via a text editor. But my environment is not a large business environment. And I am sure there are better firewall gui's than what I am referencing. Firewall Builder is an easy-to-use GUI for creating and managing firewall rules for multiple platforms including iptables, pf and Cisco routers and Cisco ASA/PIX firewalls.
-
Firewall Builder
That's about as good as it gets without the risk of a PHB letting the orcs in!
-
Firewall builder 3.0
I am in no way associated with the Firewall Builder project. It's an application I came across it in the January issue of Linux Journal that sounds like it could solve some of the original poster's issues.
The article is available online, as is of course the project homepage.
I have not used it yet, but it looks promising and sounds like one of the "cool projects" the submitter needs to know about. It gives you a graphical representation, it can deploy configurations via SSH to various machines or to Linksys, D-Link, DD-WRT or OpenWRT devices, Cisco routers and Cisco ASA (PIX) firewalls. It supports IPV4 and IPV6 and the client is available for Windows, OSX, Linux (ubuntu, fedora, debian repositories at least), OpenBSD and FreeBSD.
At least that's what they promise, but it has been in development for some time (1999) so I expect it to be pretty good.
-
FWBuilder
Check out FWBuilder. Anything beyond that concept would be overkill and extremely error-prone.
-
Re:An iptables recipie
-
Re:firewall GUI?
-
Re:Some people can screw up anything
If you actually have to administer the firewall, the Checkpoint GUI is second to none.
I find that Firewall Builder, while having an interface similar to the CheckPoint GUI, is more robust. Plus it gives the added benefit multiple firewall backends including pf, ipf, ipfw, iptables, and Cisco PIX. The new queuing and rule options available with the 2.1.x series alone are worth taking a look at. Plus the file format is an open XML-based format and the output rule files are actually quite readable. -
Re:Simple fix
Haven't you ever heard of iptables and port knocking for friends with dynamic IPs? --reject-with tcp-reset is your friend
Clearly a solution for the unwashed masses. We can't seem to get people from double clicking every email attachment, I'm sure their ready to setup, configure and tweak their own IPTables.
Well, there are a couple tools out there that make building/installing a *nix firewall a bit easier/friendlier than editing tables of rules, like "fwbuilder" http://www.fwbuilder.org/.
Admittedly, few of the "unwashed masses" will be running a *nix box, but still, setting up a workstation firewall for *nix *is* getting easier.
There are also a good number of liveCD-type firewall/router distros out there that require only very modest hardware, no hardrive, and a couple NICs to create a quite effective and easily set-up solution. Take a look here http://www.frozentech.com/content/livecd.php?pick= All&showonly=Firewall&sort=&sm=1
Strat -
Re:OpenBSD?
Right, but firewall builder is the tool you're looking for in this case. The question here is wether it's ok to spend thousands of dollars for a set of wizards; that's all the value add there is in the "commercial" solution. An admin that can't grok fwbuilder needs some serious training and even that would be cheaper than throwing all that money in the wind...
-
Re:Help me build my list..
Linux comes with iptables/ipfilter. It's command line, but if you want a nice GUI for it, theres things like http://www.fwbuilder.org/ - not for the faint hearted, but then most Linux setup routines will install a decent set already.
-
I don't understand the question.
You say you're looking for a firewall under $100? I don't understand this concept you speak of -- paying for software as vital as a firewall!
Seriously though, check out Firewall Builder at http://www.fwbuilder.org/. It looks like they now even have Win32 builds, although I would agree with others that the best approach is a separate, dedicated, Linux or FreeBSD box.
Firewall Builder isn't a firewall itself. It is simply a GUI tool to help you create firewall policy by defining objects which represent networks, hosts, policies, NAT rules, services, etc. Then you plug in a policy compiler for the platform you're targeting -- iptables, pf, etc.
I have used it for years and it works like a charm. -
FWBuilder
In larger setups it is always a good idea to have a centralized firewall management system.
Check out FWBuilder! -
GPL GUI for iptables and ipfilter - fwbuilder.org
http://fwbuilder.org/ has a GUI interface similar to Checkpoint. You create objects (hosts, networks), services (IP, tcp, udp, etc), and groups then use those objects or groups to define rules.
fwbuilder then compiles an iptables, ipfilter, ipfw, or even pix script (pf costs $$$) to implement the ruleset. -
Re:At least with windows
I like fwbuilder. It provides a fairly advanced interface but also has some nice wizards to get a basic firewall / NAT platform going. And you can migrate your general firewall configuration between platforms (want to migrate from a Linux box to an OpenBSD firewall? Recompile your ruleset and install on the new box). Though... I have to admit... most of what I like about it would likely be lost on a neophyte.
-
Firewall Builder
I like Firewall Builder for keeping track of complex firewall rules.
-
Re:I'd like an understandable firewall interface.
Not completely what you're asking for, but you might take a look at fwbuilder ( www.fwbuilder.org ). Not exactly plug and play, but at least it's drag and drop...
-
I'm a firewall admin amongst other things.....and this looks really attractive to me. Our environment comprises of Nokia IPSO-based firewalls running Checkpoint, so I'm very familiar with VRRP.
However, as excellent as this looks, I can only shudder in horror at the thought of migrating any of our existing rulesets across to openbsd/pf, let alone distributed management of policies across several 'clusters' of firewalls we have.
Yes my friends. I'm asking for a GUI. FW Builder is a good start, but it still needs work (porting to Windows would be a good start). Migration tools from Checkpoint (or other commercial firewalls) would be another good addition.
PS, I ask for Windows support not for my sake, but so that my co-workers would be able to use it. However, this criticism is levelled at FW Builder.
OpenBSD/pf/CARP has provided a brilliant technical starting block, but it needs these additional tools to make inroads into enterprise organisations.
-
Anyone care to comment on...
fwbuilder? I think it's a smart product but still, I've never played with "enterprise" stuff. Anyway, I do get the feeling that the program is geared towards managing large arrays of machines inside a single interface.
-
firewall builderi see the benefits of a web-based firewall builder (especially for a home user where the rules are build from answers to simple, high-level, non-technical questions), but for something more in-depth i use:
firewall builder
i started using the project almost a year ago, and have really been impressed with all the extras that have come on-line since then: user guide, FAQ, web portal, articles, cookbook, etc.
the application:
has a wizard to help jump start building a ruleset
abstracts firewall-specific syntax from firewall design
builds rules for several firewall implementations (iptables, pix, ipfilter, ipf)
for an administrator wanting something more technical than a web-based rule builder, but simpler than learning firewall-specific syntax and implementation details, i recommend firewall builder.
a satisfied user -
Rely on software not the hardware: always use VPN.Give that WiFI was crippled from birth I assume its clear even if its WEP-64. It would have been so easy to add DH key exchange plus strong crypto or use the SSL style encryption handshakes but no they invent their own. OK maybe I missed the fine technical details on WEP but its not exactly trused is it whereas SSLv3 (of a suitable key length and algorithm) is trusted.
So yes I have WEP and MAC filters turned on my Home Wireless but the Access Point (infrastructure mode) is on its own DMZ LAN and plugged into a Linux box. This Linux box has 3 Ethernets - the ADSL router and trusted LAN connections plus the Wireless LAN. The firewalling is all done via iptables configured using FWBuilder on a different Linux machine-I really recommend FWBuilder once you get into it.
The firewalling ONLY allows PPTP tunnels to be setup from WiFI clients. The Linux PPTP server is PoPToP on Linux side and standard PPTP client with WinXP on Laptop side. The laptop thus gets allocated a new IP address for the tunnel from within my trusted address space (so as to thus get through iptable filters OK) on the PPTP link and the laptop also uses this as its default gateway. BTW: Counterpane found flaws in how MS implemented PPTP not PPTP itself so I'm happy with PPTP for the moment and I use a separate (non-easy) password for the PPTP tunnel.
Wokflow is thus...powerup Laptop. Double-click Connect To Homelan (password is cached in dialog box on WinXP). Wait for handshacking and authentication and tunnel setup. Surf.
My next move has to be IPSec with FreeS/WAN but ideally certificate based. So for me WiFi security is just not relevant anymore because it'll always be more flexible to place the crypto burden inside software as opposed to using hardware devices.
-
Re:Opinions from LOTs of experience...
Actually, the linux gui for iptables and in fact alot of other scripting firewalls is fwbuilder if you haven't seen it before, its well worth taking a look at. While, at the moment, it doesnt yet support distributing out fw policies to other boxes, it does appear to be planned for future releases.
Personally, for large companies, i've never seen a non-comercial firewall. FW-1 is very popular, and netscreen is becoming popular as well (at least, in Australia it is). I've installed/configured/etc both, and i think they're both briliant. With big companies however, they all tend to have groups of people (as apposed to an individual) that have a broad range of responsibilities. Typically firewalls fall under either network or security which means you have two issues you have to skill-up a group of people in the same software, which means training is invaluable (where's my iptables training course?). Also keep in mind that those same people will probably be taking care of alot of things at the same time, so trying to remember how to use iptables on the command line will quickly become a very annoying and tedious (also prone to error) task. Lastly, theres upgrade path, when I upgrade fw-1, my poilicies (usually) quite happily work after the upgrade without much buggering around, I certainly haven't seen the same with iptables where syntax's and so forth change with very little notice.
I use iptables/fwbuilder at home, and I love it, but i'd hate to deploy that kinda software in a real environment if I was going to be responsible for the support.
-
Re:Interoperability (Re:"Central Policy Server"...The article indicates that the loaded software is Secure Computing's stuff, presumably Gauntlet since it's their only firewall product. I would imagine that the console is the Gauntlet console.
As for the guy above who remarked about how silly it was to require these things to be configured by a central console, he obviously hasn't been the firewall management staff at a large company. A central console is the _only_ way to fly if you have a large number of firewall policy engines to manage. Otherwise, the flagpoles in front of most buildings would be draped with suicidal firewall admins wanting to end it all.
:>(Besides, it's not like there isn't a central console for iptables/ipchains that works pretty well -- a firewall need not be a standalone unit with a custom policy all its own to be secure. Sometimes, it's more secure to provide an administrator with an easy way to avoid screwups.)
-
FwBuilder ROCKS !If you have X running, not necessarily on your firewall (you just use fwbuilder to "compile" a script and run the script on the firewall box) then I can heartily recommend fwbuilder.
It's a totally object based graphical tool for building a firewall. You can just drag and drop "services" (ports) to create port mappings, drap and drop machines, other firewalls, networks, etc to determin who gets to do what.
Has a nice little druid in it to get you a working setup that you can modify to better suit your needs.
Really. Check it out.