On Wed, Nov 22, 2006 at 01:43:37PM -0900, Ken Irving wrote: > > I'd call it (shorewall anyway) more of a wrapper than a GUI, but yes. > The actual firewall is the kernel and iptables, but shorewall provides > a way to configure that. > > I seem to recall a thread about this a month or two back, where the > position was put forth that the KISS principle would argue for directly > using iptables instead of one of the wrappers, since the poster claimed to > be able to put up a working firewall in 5 or 6 lines vs 10's or 100's that > may result from shorewall. From my standpoint, I only need to mess with > 5 or 6 lines (if that) in shorewall to get a working system, but would > need to master a bunch of "fine" manuals to fully understand iptables, > so kiSS still has me using shorewall. >
The beauty of shorewall is that it is able to easily both simple and complex setups. Once you learn the configuration files (not that hard), you can handle anything from a single PPP interface to more than a dozen interfaces, each connected to different subnets, with IPSEC tunnels, rate limiting, MAC filtering, and lots of other goodies which would be extrememly difficult to accomplish in a by-hand iptables configuration. Regards, -Roberto -- Roberto C. Sanchez http://people.connexer.com/~roberto http://www.connexer.com
signature.asc
Description: Digital signature
