[nzlug] Server Consolidation

[Michael Adams]

On Thu, 15 Nov 2007 18:19:44 +1300
Volker Kuhlmann wrote:

> > Great post. My main issue with the gui configuration tools for
> > firewalls has been the lack of abstraction. Most of them require you
> > to know iptables. That's probably one of Windows and Mac OS X's
> > strengths - isolating a lot of the inner workings from the general
> > user. While a bad thing in technical users, it's brilliant if you
> > "just want to get the job done".
> 
> If I just wanted the job done, I'd run pfsense or ipcop. They come
> with nice GUIs too. I mean pfsense comes with a nice GUI, ipcop comes
> with a GUI. At least pfsense abstracts very nicely, certainly from
> iptables. I question the wisdom of tacking a "firewall" onto an
> existing box, inside a virtualizer concept or not. Either one wants a
> firewall, or makes do with a packet filter in each desktop/server box.
> 
> SuSEfirewall2 offers a high level of abstraction too and can be easily
> configured by anyone who can read a comment and edit a bash variable.

***
> It only works with iptables,
***

I read little comments like this a lot. What else is there in Linux?

IIUC iptables is the human readable language designed by the kernel team
for netfilter. To not work on iptables your firewall would have to talk
to netfilter direct. That could be a bad thing because it is only
understood by the given program... this equates to vendor lockin,
proprietary style. With iptables any person or firewall acts on the
iptables themselves. Iptables is stateful. They can be live dumped by a
program or person. Why is iptables a bad thing?

-- 
Michael

All shall be well, and all shall be well, and all manner of things shall
be well

 - Julian of Norwich 1342 - 1416