PDA

View Full Version : Fedora firewall vs SUSE firewall


claes
1st February 2005, 07:54 PM
I am considering whether I should switch my home server from SUSE to Fedora. One thing I like about SUSE is that its firewall works well. SuSEfirewall2 as it is called is a script that generates rules for IP-tables, but is very easy to configure compared to writing own rules. I think the guy that wrote it, Marc Heuse, knows what he is doing.
SuSEfirewall2 is GPL, but I guess it is pretty SUSE specific. What is the best firewall tool that Fedora has to offer? Does it compare with SuSEfirewall?

See also
http://www.unixreview.com/documents/s=8989/ur0408c/

kosmosik
1st February 2005, 08:32 PM
What is the best firewall tool that Fedora has to offer?
well there is none. I used plain iptables scripts for my firewalling/routing and that was OK for me but I would not say it is the best... you have plenty of choices - f.e. shorewall it is nice set of scripts that will allow you to set up fair good FW/gateway/router with only little reading... or maybe you will want to use Firestarter which is a GUI tool and allows doing some stuff (and works) - all these are just frontends to kernel filtering mechanisms, so the firewall itself is Linux all other things are only frontends...

also with FW/gate its job is to keep things kind of secure and work. the major rule in security is that you won't get security unless you understand what you are doing - so for one plain iptables may be good since one understands what he is doing, for other the same plain iptables my be unusefull since he don't know how it works - here f.e. some easy solution (but working) like firestarter is probably better since it will make more security to have properly configured firestarter running than have poorly configured iptables...

I can recommend few such solutions (I looked over this suse thing and I don't find it very atractive - what makes you think it is so good?):

shorewall - nice set of scripts, fairly easy to set up and well documented (but you need some background on how networks work, what are ip clases/ranges, NICs etc.), offers some good functionality like port forwarding, masquarade, DNAT/SNAT, QoS filtering, blacklists, DMZ and few others...

firestarter - nice GUI aplications that lets you setup most common stuff with wizards - it is easy to use and work, you don't need much background to use it.

firewall builder - it is not exactly a firewalling solution itself, it is rather something like an IDE for building FWs - you design your sets of rules, network/machines clases, time frames, service ranges etc. then you connect them in logical matter - then at the end you can "compile" these logical rules to different firewalling systems (like Linux iptables/iproute, *BSD pf, even some CISCO stuff). so you can have one logical scheme and then transfer it between various systems...

probably tons of others also...

claes
1st February 2005, 09:16 PM
> what makes you think it is so good?):

A couple of things. First of all, it was easy to setup. Both in Yast, but also the settings file is nicely structured, with settings that make sense and is easy to understand. The documentation supplied goes through scenarios and describes how the configuration can be done. Perhaps other tools does this good as well, but compared to working out iptables rules by myself, it was much easier. Anyways, it was easy to configure, that solves the first part. Now, the second: can I trust the software to do a good and secure job? And basically, here it boils down to if I trust the person behind it, does he know what he is doing? I did some research on Marc Heuse who wrote it. He quotes on his CV: (http://www.suse.de/~marc/CV.html) "Internet/network/operating system security expert with 7 years professional experience. 2 years experience of leadership over a security professional team". He used to work for Deutsche Bank "where he held responsibility for network security" (http://lwn.net/2000/0914/security.php3) and also he is founder and member of the SuSE Security Team.

Other packages might be as good as, or better, but at least I feel it is reasonably secure, and I trust it to do better than the average package at freshmeat.

kosmosik
1st February 2005, 09:24 PM
A couple of things. First of all, it was easy to setup. Both in Yast, but also the settings file is nicely structured, with settings that make sense and is easy to understand. The documentation supplied goes through scenarios and describes how the configuration can be done.
just like shorewall - minus GUI. but AFAIK Mandrake uses shorewall as their firewall from long time, they also offer GUI on that (Mandrake Control Center). OK ease of use is good argument, but how it is different for lets say firestarter?

Now, the second: can I trust the software to do a good and secure job? And basically, here it boils down to if I trust the person behind it, does he know what he is doing?
then if you don't trust Fedora developers to be competent why you use it? I don't blindly trust/belive them to be competent - but I trust opensource developement model I find it that if something is opensource it is reviewed by lots of people... so yes I can trust suse-fw along with redhat-fw on the same basis. to be honest I never had this thought of yours... you should be running OpenBSD :)

I did some research on Marc Heuse who wrote it. He quotes on his CV: (http://www.suse.de/~marc/CV.html) "Internet/network/operating system security expert with 7 years professional experience. 2 years experience of leadership over a security professional team". He used to work for Deutsche Bank "where he held responsibility for network security" (http://lwn.net/2000/0914/security.php3) and also he is founder and member of the SuSE Security Team.
this is like marketing for me... trust me other tools work the same and are not designed by people who don't know what their are doing :)

Other packages might be as good as, or better, but at least I feel it is reasonably secure, and I trust it to do better than the average package at freshmeat.
why because it got SuSE sticker on it? :) this is feeling of yours is quite false. you can trust something when you know how it work. I will not trust FW system on basis of reading somebodys CV - I will trust it on basis that people use software and during using it gets better/reviewed...

this argument just killed me :) I cannot agree with that tottaly. I don't even know where to start... it is like FUD to me...

claes
1st February 2005, 09:56 PM
I don't want to start a flamewar. You asked me why I thought it was good, and I told you. Did you read the first link I wrote? http://www.unixreview.com/documents/s=8989/ur0408c/
This is an independent review. Some quotes from it:
"There are numerous programs to help you set up a firewall. My experience is that either they are good but with limited flexibility (e.g., Bastille) or are just pretty faces on the raw power and complexity of iptables"

"SuSEfirewall2 is available under the GPL and more than sufficient for most SOHO networks. The installation script and the boot-time init scripts are SuSE-specific, but the guts are not."

"I read a fair amount of books and articles on security and firewalls. When I run across specifc advice, I generally find that SuSEfirewall2 is already doing it. "
I will not further discuss which is the best firewall package. I just pointed out why I believe SUSE bundles a competent package for the task.

imdeemvp
1st February 2005, 10:03 PM
Offtopic....you can always install a thrid party software such as firestarter (http://www.fs-security.com/) which for now is free.

kosmosik
1st February 2005, 10:04 PM
I don't want to start a flamewar. You asked me why I thought it was good, and I told you.
yes but I've meant more technical stuff like A can do this and B cannot, A have better GUI but B is more scriptable... not some empty stuff like A developers are skilled (implying that B are not which you can't proove) etc.

Did you read the first link I wrote? http://www.unixreview.com/documents/s=8989/ur0408c/
This is an independent review. Some quotes from it:
"There are numerous programs to help you set up a firewall. My experience is that either they are good but with limited flexibility (e.g., Bastille) or are just pretty faces on the raw power and complexity of iptables"
I read the same article like year or more ago (look at its date) I am generally linux-article-eater :) I syndicate like 100+ sites via RSS and browse thru them to get something nice to read everyday... yes I've read that. but for me it does not differ much from other FW solutions, and the article itself does not state about some ultra-usefull features (like bandwith throttling and so on). so for me it is in practice just another firewall script like anything else, it does not matter who wrote it - this is opensouce, here it does not matter who you are, it does matter what you code. so for me some teenager with no proved background/nice CV can make better software than some CS doctor...

"I read a fair amount of books and articles on security and firewalls. When I run across specifc advice, I generally find that SuSEfirewall2 is already doing it. "
yes but I don't see any practical reasoning here. it is argument like "well I like A because I like it and I recommend A so you should also" - but no merit in it...

I will not further discuss which is the best firewall package. I just pointed out why I believe SUSE bundles a competent package for the task.
OK... :) but I wan't to know what this baby can do (I know already - it is not something unique) not who wrote it...

Villagran Instagram Photos - Lebedyan Photos - Marseille 05 Travel Photos on Instagram