On Jun 25, 2005, at 6:08 PM, Michael T. Halligan wrote:
> I believe you can create a redhat-style iptables file, after you've
> created your policy by running iptables-save .. Not the best
> solution, but a workable one.
> Otherwise, FWbuilder is nice, but in my experience it's somewhat
> buggy. I've never been able to get it to work reliably enough
> to create a policy all the way through on any platform it supports.
I am the author of Firewall Builder. May I ask what bugs you've
encountered? I would like to fix them, of course. You can contact me
off the list.
As far as generating iptables config that can be used with iptables-
restore directly, the thing is, Firewall Builder does some extra work
preparing the system besides just generating iptables rules. For
example, it can configure alias IP addresses on interfaces to make
sure NAT rules work even if they use IP address that are not the
primary ones on the interfaces. You do not have to use this feature,
it is optional, but many users asked for it. It can also set or clear
various kernel parameters, such as ip forwarding, various TCP
parameters etc. Generated script can also read an address of an
interface at the moment of policy activation and use it in the rules.
This way we can generate correct anti-spoofing rules even for
firewalls with dynamic addresses and do other neat things, such as
use "wild card" interfaces in the policies. The same mechanism is
used when you create one policy and then deploy it on multiple
servers or firewalls that have similar configuration but different
> Ted Kaczmarek wrote:
>> On Tue, 2005-05-24 at 12:25 -0400, DJ Gregor wrote:
>>> In terms of ACL compilers, has anyone looked at Firewall
>>> Builder? It looks to have a general XML format that defines the
>>> policy (although at a low-level, in terms of ports and devices),
>>> along with translators from the XML format into implementation-
>>> specific configuration statements.
>>> I've also seen the same thing done in a commercial product where
>>> not only the firewall configuration, but the entire device
>>> configuration was specified in an XML language that was
>>> translated to operating system-specific configurations (for
>>> multiple OSes, even). The XML configurations were per-device,
>>> not per-network, however.
>>> - djg
>> I would like it a lot more if it generated redhat style iptables
>> file :-)
>> It is a most popular tool used by lots of people I know.
> BitPusher, LLC
> (415) 724.7998 - Mobile