Firewall section: Difference between revisions
(Iceditch introduction started) |
m (added config example) |
||
(One intermediate revision by the same user not shown) | |||
Line 2: | Line 2: | ||
You may not have realised it, but Linux comes with an incredible powerful and flexible [http://searchnetworking.techtarget.com/sDefinition/0,,sid7_gci214173,00.html TCP/IP] [http://www.tech-faq.com/firewall.shtml packet filtering firewall], named [http://www.netfilter.org/ Netfilter]. With a minimum amount of effort, we can create just about any packet filter you can imagine. The Linux solution is so powerful, even commercial firewall vendors like [http://www.watchguard.com/ Watchguard] use it in their products. In fact, Watchguard has paid the main developer early on in the project (see [http://www.netfilter.org/about.html here]). | You may not have realised it, but Linux comes with an incredible powerful and flexible [http://searchnetworking.techtarget.com/sDefinition/0,,sid7_gci214173,00.html TCP/IP] [http://www.tech-faq.com/firewall.shtml packet filtering firewall], named [http://www.netfilter.org/ Netfilter]. With a minimum amount of effort, we can create just about any packet filter you can imagine. The Linux solution is so powerful, even commercial firewall vendors like [http://www.watchguard.com/ Watchguard] use it in their products. In fact, Watchguard has paid the main developer early on in the project (see [http://www.netfilter.org/about.html here]). | ||
However, to create a truly magnificent firewall, there are many problems to overcome; we'll discuss them in this section:<br> | |||
* Iceditch defines a [[Iceditch IPtables language | "language"]] to more easily read & write IPtables commands; this mainly solves the problems of auditability (partly) and eases maintainability, although it does not by itself solve the problem of documentation. | '''[[Firewall problems | Generic discussion on firewall problems]]'''. | ||
* It offers a standardised way to start the firewall at boot time | |||
* | Fortunately for YOU, my friend, the SaruWiki admin team have created their own "solution" to these problems: the Iceditch firewall script. | ||
* | |||
By consistent focus on a small set of '''[[Iceditch design targets | sensible design targets]]''', we feel we've succeeded in creating a firewall script that alleviates most of the many problems firewalls face. Our Iceditch solution has the following elements and properties: | |||
* Iceditch defines a '''[[Iceditch IPtables language | "language"]]''' to more easily read & write IPtables commands; this mainly solves the problems of auditability (partly) and eases maintainability, although it does not by itself solve the problem of documentation. | |||
* It offers '''[[Iceditch functionality | much functionality]]''', like | |||
** a standardised way to start the firewall at boot time, | |||
** ways to audit the firewall, both while it's running and when you've edited (but not yet implemented) it, | |||
** a reasonably failsafe way to change firewall settings from afar. | |||
* Iceditch is based on a single Bash script and some configuration files, and thus has a fairly simple '''[[Iceditch file structure | file structure]]'''. | |||
* For full reference, we've created this '''[[Iceditch Command Reference]]'''. | |||
* Here is an [[Iceditch configuration example]] | |||
Now, obviously there are many more firewalls to choose from, ranging from advanced [http://www.shorewall.net/ | configure-it-yourself firewall] to [http://www.smoothwall.org/ pret-a-porter OS-and-firewall-into-one] solutions (and we're not even starting on proprietary solutions, be they hardware and/or software). The main reason for us to create our own firewall script (besides the obvious reasons of fun and learning) is [[Iceditch design targets | flexibility]]. | |||
Should you be in any way interested in this project of ours, feel free to [mailto:iceditch@saruman.biz contact us]. |
Latest revision as of 16:44, 19 July 2008
Firewalling under Linux
You may not have realised it, but Linux comes with an incredible powerful and flexible TCP/IP packet filtering firewall, named Netfilter. With a minimum amount of effort, we can create just about any packet filter you can imagine. The Linux solution is so powerful, even commercial firewall vendors like Watchguard use it in their products. In fact, Watchguard has paid the main developer early on in the project (see here).
However, to create a truly magnificent firewall, there are many problems to overcome; we'll discuss them in this section:
Generic discussion on firewall problems.
Fortunately for YOU, my friend, the SaruWiki admin team have created their own "solution" to these problems: the Iceditch firewall script.
By consistent focus on a small set of sensible design targets, we feel we've succeeded in creating a firewall script that alleviates most of the many problems firewalls face. Our Iceditch solution has the following elements and properties:
- Iceditch defines a "language" to more easily read & write IPtables commands; this mainly solves the problems of auditability (partly) and eases maintainability, although it does not by itself solve the problem of documentation.
- It offers much functionality, like
- a standardised way to start the firewall at boot time,
- ways to audit the firewall, both while it's running and when you've edited (but not yet implemented) it,
- a reasonably failsafe way to change firewall settings from afar.
- Iceditch is based on a single Bash script and some configuration files, and thus has a fairly simple file structure.
- For full reference, we've created this Iceditch Command Reference.
- Here is an Iceditch configuration example
Now, obviously there are many more firewalls to choose from, ranging from advanced | configure-it-yourself firewall to pret-a-porter OS-and-firewall-into-one solutions (and we're not even starting on proprietary solutions, be they hardware and/or software). The main reason for us to create our own firewall script (besides the obvious reasons of fun and learning) is flexibility.
Should you be in any way interested in this project of ours, feel free to contact us.