Posted by: Administrator
on October 14, 2004 11:15 PM
Shorewall is an excellent example of Linux firewall configuration utility, but I don't think a serious mention of shorewall would be complete without a look at one "meta-Shorewall" application. While shorewall is a utility to ease the configuration of the Linux firewalling capabilities, it does require editing configuration files and a learning curve. This learning curve can be reduced by using a shorewall configuration utility (a utility to configure a configuration utility???) such as the excellent <A HREF="http://www.webmin.com/standard.html" title="webmin.com">webmin shorewall module</a webmin.com>, which is a standard module for <A HREF="http://www.webmin.com/" title="webmin.com">webmin</a webmin.com>. The shorewall webmin module allows the admnistrator to configure the most useful capabilities of shorewall from a web interface. While it does not support all of the most esoteric features of shorewall, it does allow most standard configurations to be quickly and easily set up. More advanced features of shorewall can still be setup by hand, and I would recommend keeping an ssh session open to the firewall machine when using the module. The module has a nasty habit of committing whatever changes you specified. It does a decent job of picking out errors, but sometimes something gets by that shorewall will refuse to use. When you hit "restart shorewall" you may inadvertently shut the firewall down, meaning no new traffic gets from, to, or through the box. If you don't have an already open connection with ssh, you may have to log in at the console to fix it. I think this is a minor problem with the module, and every release of the module gets better at preventing you from shooting yourself in the foot. It is still better to use the module and get a little error checking, than to hand edit the files and get none. All in all, you will probably be a lot more productive using the module than you would be hand editing all the config files, unless you spend some really quality time with shorewall. I think most of us want it up quick and never want to deal with it again.
disclaimer: I have nothing to do with either webmin, Shorewall, or the webmin Shorewall module. I just use them. A lot.