Firewall section: Difference between revisions

From SaruWiki
Jump to navigation Jump to search
(Jump page rewrite)
m (added config example)
 
Line 15: Line 15:
* Iceditch is based on a single Bash script and some configuration files, and thus has a fairly simple '''[[Iceditch file structure | file structure]]'''.
* Iceditch is based on a single Bash script and some configuration files, and thus has a fairly simple '''[[Iceditch file structure | file structure]]'''.
* For full reference, we've created this '''[[Iceditch Command Reference]]'''.
* For full reference, we've created this '''[[Iceditch Command Reference]]'''.
* Here is an [[Iceditch configuration example]]


Now, obviously there are many more firewalls to choose from, ranging from advanced [http://www.shorewall.net/ | configure-it-yourself firewall] to [http://www.smoothwall.org/ pret-a-porter OS-and-firewall-into-one] solutions (and we're not even starting on proprietary solutions, be they hardware and/or software). The main reason for us to create our own firewall script (besides the obvious reasons of fun and learning) is [[Iceditch design targets | flexibility]].
Now, obviously there are many more firewalls to choose from, ranging from advanced [http://www.shorewall.net/ | configure-it-yourself firewall] to [http://www.smoothwall.org/ pret-a-porter OS-and-firewall-into-one] solutions (and we're not even starting on proprietary solutions, be they hardware and/or software). The main reason for us to create our own firewall script (besides the obvious reasons of fun and learning) is [[Iceditch design targets | flexibility]].


Should you be in any way interested in this project of ours, feel free to [mailto:iceditch@saruman.biz contact us].
Should you be in any way interested in this project of ours, feel free to [mailto:iceditch@saruman.biz contact us].

Latest revision as of 16:44, 19 July 2008

Firewalling under Linux

You may not have realised it, but Linux comes with an incredible powerful and flexible TCP/IP packet filtering firewall, named Netfilter. With a minimum amount of effort, we can create just about any packet filter you can imagine. The Linux solution is so powerful, even commercial firewall vendors like Watchguard use it in their products. In fact, Watchguard has paid the main developer early on in the project (see here).

However, to create a truly magnificent firewall, there are many problems to overcome; we'll discuss them in this section:
Generic discussion on firewall problems.

Fortunately for YOU, my friend, the SaruWiki admin team have created their own "solution" to these problems: the Iceditch firewall script.

By consistent focus on a small set of sensible design targets, we feel we've succeeded in creating a firewall script that alleviates most of the many problems firewalls face. Our Iceditch solution has the following elements and properties:

  • Iceditch defines a "language" to more easily read & write IPtables commands; this mainly solves the problems of auditability (partly) and eases maintainability, although it does not by itself solve the problem of documentation.
  • It offers much functionality, like
    • a standardised way to start the firewall at boot time,
    • ways to audit the firewall, both while it's running and when you've edited (but not yet implemented) it,
    • a reasonably failsafe way to change firewall settings from afar.
  • Iceditch is based on a single Bash script and some configuration files, and thus has a fairly simple file structure.
  • For full reference, we've created this Iceditch Command Reference.
  • Here is an Iceditch configuration example

Now, obviously there are many more firewalls to choose from, ranging from advanced | configure-it-yourself firewall to pret-a-porter OS-and-firewall-into-one solutions (and we're not even starting on proprietary solutions, be they hardware and/or software). The main reason for us to create our own firewall script (besides the obvious reasons of fun and learning) is flexibility.

Should you be in any way interested in this project of ours, feel free to contact us.