Re: iptables as a replacement for commercial enterprise firewalls
Posted by: Anonymous
on December 17, 2007 02:00 PM
Well, there are some frontends to iptables that can actually make simple setups really simple and more complex setups rather easy.
I've used FireHOL (http://firehol.sourceforge.net) to build not-so-simple firewalls (multiple interfaces + multiple VLANs + different levels of isolation between them + NAT) and I think it is one of those unexplored gems that only Linux has. Its syntax is simple and based on bash (i.e. programmable), and it even allows straight iptables commands if you need to do something out of the ordinary.
It is kind of slow on startup though, but the generated rules are very nice and secure, so I guess it is worth it.