FireHol

[dsr at tao.merseine.nu (dsr at tao.merseine.nu)]

On Wed, Dec 11, 2002 at 12:46:35PM -0800, Hugh Rutledge wrote:
> At the insistence of this group,  we're looking at
> firewalls for our server and FireHol has been
> recommended.  Any experience with and/or opinions
> about it?

Well, it's a firewall configurator, not a firewall. That is, it helps
you set up a firewall based on (in this case) iptables.

That makes it as secure or not as secure as any other iptables firewall.
I happen to think that iptables is pretty well written, but it's still
possible to screw up.

My personal bias says that if you do not know what you are doing, you
should hire or beg the services of someone who does. In this particular
case, FireHOL does not support NAT, prerouting, packet mangling, or QOS.
If you need any of those (and many people want NAT, at least), you need
to be able to hand-configure them.

iptables is not a particularly hard tool to learn, especially if you are
familiar with other packet filter systems. I would recommend reading the
many fine HOWTOs on the net and experimenting on a separate system.

Basic firewall configuration process:
1. establish exactly what ports, interfaces, and IPs need to be accessed
from every other combination of ports, interfaces and IPs, and the state
in which those packets should pass.

2. write those rules in the correct language for your tool. Apply them.

3. test each case from your original configuration (step 1). 

4. figure out your typos or mistakes from 2, edit them, and go back and
do 2 and 3 again until everything works properly.

5. document everything so you can make changes later.

-dsr-

-- 
Network engineer looking for work in Boston area.
Resume at http://tao.merseine.nu/~dsr/