Firewall section

From SaruWiki
Revision as of 22:43, 22 June 2008 by Saruman! (talk | contribs) (Iceditch introduction started)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Firewalling under Linux

You may not have realised it, but Linux comes with an incredible powerful and flexible TCP/IP packet filtering firewall, named Netfilter. With a minimum amount of effort, we can create just about any packet filter you can imagine. The Linux solution is so powerful, even commercial firewall vendors like Watchguard use it in their products. In fact, Watchguard has paid the main developer early on in the project (see here).

To create a truly magnificent firewall, there are many problems to overcome; however, the SaruWiki admin team have created their own "solution" to these problems: the Iceditch firewall script. It handles the many problems firewalls face with the following elements:

  • Iceditch defines a "language" to more easily read & write IPtables commands; this mainly solves the problems of auditability (partly) and eases maintainability, although it does not by itself solve the problem of documentation.
  • It offers a standardised way to start the firewall at boot time;
  • It offers a way to audit the firewall, both while it's running and when you've edited (but not yet implemented) it;
  • It offers a reasonably failsafe way to change firewall settings from afar.
Retrieved from "https://www.saruman.biz/saruwiki/index.php?title=Firewall_section&oldid=1523"