Master iptables with GUI Firewall Builders - Page 2

By Carla Schroder | Posted Nov 20, 2007
Page 2 of 2   |  Back to Page 1
Print ArticleEmail Article
  • Share on Facebook
  • Share on Twitter
  • Share on LinkedIn

Firewall Builder

Firewall Builder is a good choice for more complex needs, such as a multi-homed NAT firewall, or a network with multiple firewalls. It is both a firewall builder and a management system. It incorporates RCS (Revision Control System), so you can easily track all versions of your firewall configurations.

Firewall Builder
(Courtesy Firewall Builder Project)
It comes with several good templates, such as simple Internet connection sharing with a dynamic WAN IP/ static LAN IP, which is typical of home networks on cable or DSL. A second template adds internal DNS/DHCP. A third template includes rules for a DMZ on a third network interface. There is a "host" template for protecting a workstation, and a Web server template. You're not stuck with the default template rules, because all files generated by Firewall Builder are editable, and you can create your own templates.

Firewall Builder has a useful graphical interface that shows current states, rules, and interfaces all across your network. It is SNMP-aware, and includes a Network Discovery Druid for mapping your network. Be sure to get the User Manual .pdf, as it is a lot more useful than the man pages.

Just Say Yes to Firewalls

Every time the subject of firewalls comes up, you can count on two dissenting voices arising:

1. "If you properly configure your box you don't need a firewall"
2. "Software firewalls are lame. Use a hardware firewall."

#1 is theoretically true, but we live in the real world. Things change, mistakes happen, and layered defenses are a standard best practice. And why let your hosts be pummeled and your LAN congested by outside attacks? Head all that crap off at your Internet gateway. Even public services benefit from being firewalled. For example, there's no need to subject your Web server to the endless SSH attacks infesting the Internet- block everything but port TCP 80. Same goes for all of your public services; reduce the load and potential compromises by diverting the junk.

#2 is one of those silly arguments from the Planet Bizarro. There is no magic in a "hardware firewall." All firewalls are a combination of software and hardware. A firewall is effective because it is well-configured. A more accurate question is "is it better to have a standalone, dedicated firewall, or are host-based firewalls good enough?" I prefer a standalone, dedicated box. It reduces the load on the host PC, and it's easier to maintain and secure, because you can jettison all the irrelevant bits. But well-made host-based iptables firewalls are perfectly good, too. So the definitive answer is "whichever you prefer."

Resources

Comment and Contribute
(Maximum characters: 1200). You have
characters left.
Get the Latest Scoop with Enterprise Networking Planet Newsletter