Getting Started with Firewall Builder

Posted by vkfwb on Mon 30 Mar 2009 at 19:35

Configuring a firewall policy using iptables can be difficult. If you do it by hand, you need to learn a complicated command line syntax and understand packet flow inside Linux kernel very well. GUI applications such as Firestarter can help build simple configuration but quickly run out of steam when security policy becomes complex. This article introduces "Firewall Builder", a GUI firewall configuration and management tool designed to help solve this problem.

Firewall Builder (also known as fwbuilder) is a GUI firewall configuration and management tool that supports iptables (netfilter), ipfilter, pf, ipfw, Cisco PIX (FWSM, ASA) and Cisco routers extended access lists. Both professional network administrators and hobbyists managing firewalls with policies more complex that is allowed by simple web based UI can simplify management tasks with the application. The program runs on Linux, FreeBSD, OpenBSD, Windows and Mac OS X and can manage both local and remote firewalls.

Firewall Builder is available from the libfwbuilder and fwbuilder packages in both Debian and Ubuntu (in Universe). Packages for the current development builds are available from the project download area on SourceForge

To start the program, find it in the "System/Administration" menu.

If it is not there, then it probably needs to be installed on your system. You need to install the fwbuilder and libfwbuilder packages.

Use apt-get or aptitude to find and install them:

    # aptitude install libfwbuilder fwbuilder
  

On FreeBSD and OpenBSD Firewall Builder is part of ports, you can find it in /usr/ports/security/fwbuilder.

Packages shipping with Debian and Ubuntu are always one or two minor revisions behind. If you want to try the latest version, you can use pre-built binary .deb packages offered on the project's web site or build from source using our online installation instructions. Pre-built binary packages and source code archives can be downloaded from from this page.

If the system menu item is not there or you have built the program from source, you can always launch it from the command line by just typing "fwbuilder" on the shell prompt:

    $ fwbuilder
  

The program starts and opens the main window and greeting dialog. The dialog provides links to the project web site where you can find tutorials, FAQ, the Firewall Builder CookBoook and other documentation, as well as bug tracking system and links to user forums and mailing list. Clicking on the link in the dialog opens the corresponding web page in your web browser. This works the same on all supported OS: Linux, Windows and Mac OS X. You can always open this dialog later using an item in the main menu "Help".

Lets create our first firewall object. To do this, we'll use object creation menu that appears when you click on the icon in the small toolbar right above the object tree. Choose menu item "New Firewall" from the menu that appears.

The program presents wizard-like dialog that will guide you through the process of creation of the new firewall object. In the first page of the wizard you can enter the name for the new firewall object (here it is "guardian"), its platform ("iptables") and host OS ("Linux").

There are two ways a new firewall can be created: you can use one of the preconfigured template firewall objects or create it from scratch. This tutorial demonstrates the first method (using a template object). To do this, check checkbox "Use preconfigured template firewall objects". Template can be taken from the library of template objects that comes with the Firewall Builder package or from a file provided by the user. The latter is useful when administrator wants to distribute a library of predefined templates to other users in the enterprise. We are using one of the standard templates in this guide and therefore leave standard template library path and name in the "Template file:" input field. Click "Next" to move on to the next page of the wizard.

Note that the template firewall object comes completely configured, including addresses and netmasks of its interfaces and some basic policy and NAT rules. This configuration is intended as a starting point only. You should reconfigure the addresses of interfaces to match those used on your network and most likely will have to adjust rules to match your security policy.

This page of the wizard shows template objects and their configuration. Standard template objects represent firewalls with two or three interfaces, a host with one interface, web server or Cisco router. Choose firewall with three interfaces for this guide. Note that template comes with completely configured firewall object, including set of interfaces and their ip addresses and some basic firewall policy. You will see how addresses can be changed later on in this guide. Click "Finish" to create a new firewall object using chosen template.

Here is our new firewall object. Its name is "guardian", it appears in the object tree in the left hand side of the main window in the folder Firewalls. When an object is selected in the tree, a brief summary of its properties appears in the panel under the tree. Double-clicking on the object in the tree opens it in the editor panel at the bottom of the right hand side panel of the main window. The editor for the firewall object allows the user to change its name, platform and host OS and also provides buttons that open dialogs for "advanced" settings for the firewall platform and host OS. We will inspect these little later in this tutorial.

You can always resize the main window to make all columns of the policy view be visible.

Now would be a good time to save the data to a disk file. This is done in a usual way using the main menu "File |Save As".

Lets take a little tour of the network and service objects that come as standard with the program. You can use these preconfigured objects to build policy and NAT rules for your firewall.

Objects in the tree are orginized in libraries, you can switch between libraries usinf drop-down menu above the tree. Firewall Builder comes with a collection of address, network, service and time interval objects in the library called "Standard". Lets take a look at them. Notice that the background color of the panel that shows objects tree depends on the chosen object library. This makes it easier to keep track of the library currently opened in the program.

The folder Objects/Hosts contains few host objects used in standard firewall templates. The folder Objects/Network contains network objects that represent various standard address ranges and blocks, such as multicast, net 127/8, networks defined in RFC1918 and so on.

Firewall Builder also comes with extensive collection of TCP, UDP and ICMP service objects that describe commonly used protocols. This slide shows some TCP objects (all of them do not fit in the screenshot).

Here is an example of a simple TCP service. It defines source and destination port ranges (in this case source port range is not defined and there is only one destination port 80). TCP service object can also define any combination of tcp flags the firewall should inspect and also which ones of them should be set in order for a packet to match this object. In the case of the service "http" we do not need to define any flags.

Now lets take a look at the objects created as part of the new firewall object "guardian". In order to do this, switch to the library User where this object was created. To open an object in the editor panel to inspect or change it, double click on it in the tree. Also, if you click on an object in the policy rule to select it, it will automatically open in the tree on the left.

First, the firewall object itself.

Every object in fwbuilder has basic attributes such as its name and comment. Other attributes depend on the object type.

Attributes of the firewall object include platform (which may be iptables, pf, ipfilter, & etc.), version (platform-depended) and host OS. The buttons "Host OS Settings" and "Firewall Settings" open dialogs with many additional attributes that depend on the firewall platform and host OS. More on these later.

Here are the choices for the firewall platform, version (for iptables) and host OS.

Interfaces of the firewall are represented by objects located below the Firewall object in the tree. We refer to them as "children" of the firewall object. This slide demonstrates properties of the interface eth0. To open it in the editor double click on it in the tree. If editor panel is already open and shows some object, it is sufficient to select new object in the tree to reveal it in the editor panel (no need to double click).

The IP and MAC addresses of interfaces are represented by child objects in the tree located below corresponding interface.

The interface object has several attributes that define its function, such as "Management interface", "external" etc.

  • Name: the name of the interface object in Firewall Builder must match exactly the name of the interface of the firewall machine it represents. This will be something like "eth0", "eth1", "en0", "br0" and so on.
  • Label: On most OS this is not used and serves the purpose of a descriptive label. Firewall Builder GUI uses a label, if it is not blank, to show interfaces in the tree. One of the suggested uses for this is to mark interfaces to reflect the network topology or the purpose. The label is mandatory for Cisco PIX though, where it must reflect the network topology.
  • "Management interface": Sometimes the host has several network interfaces in which case one of them can be marked as the management interface. The management interface is used for all communication between Firewall Builder and the host.
  • "External interface (insecure)": marks an interface that connects to the Internet.
  • "Unprotected interface": marks interface to which fwbuilder should not assign any access lists (used only with Cisco IOS platform)
  • "Regular Interface": Use this option if the interface has an IP address assigned to it manually.
  • "Address is assigned dynamically": Use this option if the interface has a dynamic address (obtained by means of DHCP or PPP or another protocol); in this case an address is unknown at the moment when Firewall Builder generates the firewall policy.
  • "Unnumbered interface": Use this option if the interface can never have an IP address, such as the ethernet interface used to run PPPoE communication on some ADSL connections, tunnel endpoint interface, or an interface on a bridging firewall. See below Section 5.3.1 for more detailed discussion of these different types of interfaces.
  • "Bridge port": this option is used for port of bridged firewall.
  • "Security level": security level of this interface, used only with Cisco PIX (ASA)
  • "Network zone": network zone of this interface, used only with Cisco PIX (ASA). Network zone drop-down list shows all network obejcts and groups of addresses and networks present in the tree. Choose one of them to tell the compiler which networks and blocks of addresses can be reached through this interface. Compiler uses this information to decide which interface each ACL rule should be associated with based on the addresses used in the destination of the rule.

Here is IP address of interface eth0, external interface of the firewall. The address and netmask are attributes of the child object of the type "IPv4 address". Here the address is "192.0.2.1" and netmask "255.255.255.0". Button "DNS Lookup" can be used to determine ip address using DNS. The program runs DNS query for the "A" record for the name of the parent firewall object.

Lets look at the IP address of the internal interface of the firewall. The address used in the template is "192.168.1.1" with netmask "255.255.255.0". This is rather typical address used for small and home networks. Some commercial firewall appliances come preconfigured with this address.

If address 192.168.1.0/24 matches address of your local network, you can skip this part of the guide and move to the page 4. Otherwise, you need to reconfigure the address of the internal interface of the firewall object that you just created in fwbuilder and also change address object used in the policy rules. Start with changing address attribute (and possibly netmask, if necessary) of the object guardian:eth1:ip as shown in the screenshot:

Now we need to change IP address used in the rules. To do this, we create new Network object with correct address and replace object net-192.168.1.0 in all rules with this new network object.

Use new object menu to create Network object.

New Network object is created with the default name "New Network" and the IP address 0.0.0.0.

Edit the object name and address, then hit "Apply".

Use the menu "Object | Find" to activate the search and replace dialog. The Find and Replace dialog opens at the bottom of the right hand side panel in the main window, below the policy rules view.

Locate object object net-192.168.1.0 in any policy rule where it is used or in its location in the tree in library Standard and drag and drop it to the left object well in the search and replace dialog as shown on the screenshot:

Change the scope setting to "Policy of all firewalls". If you have many firewalls in the tree, use scope "policy of the opened firewall" instead. Locate the new Network object you have just created in the tree and drag and drop it to the right object well in the search and replace dialog as shown on the screenshot:

Now hit "Replace all" button. A pop-up dialog should appear and report how many replacemens the program had to make in all rules of the firewall. Note that the replacement is done not only in the policy rules, but in NAT rules as well.

Now that you have created a new object and replaced old network object with new one in all rules, do not forget to save data to a file using menu "File | Save".

Lets inspect the properties of the firewall object. Double click on the firewall "guardian" in the tree to open it in the editor panel, then click "Firewall Settings" button in the editor. This opens new dialog that looks like this. Notice the "Help" button in this dialog, clicking this button opens help as shown on the next slide.

The online help explains all attributes and paramaters located in each tab of the firewall settings dialog. I encourage you to explore it as many parameters are important and affect the generated iptables script in different ways.

The next few screenshots show other tabs of the firewall settings dialog. You can find detailed explanations of all parameters in the online help.

This page defines various parameters for the built-in policy installer. Installer uses ssh client (pscp.exe and plink.exe on Windows) to transfer the generated script to the firewall machine and activate it there.

User can define shell commands that will be included in the generated script at the beginning and in the end of it. These commands can do anything you want, such as configure some subsystems, set up routing etc.

Parameters for logging.

More options for the script generation. Notice that fwbuilder can produce iptables script in two formats: 1) as a shell script that calls iptables utility to add each rule one by one, or 2) it can use iptables-restore script to activate the whole policy at once. Other parameters are explained in the online help.

Starting with v3.0 Firewall Builder can generate both IPv4 and IPv6 policy. This tab controls the order in which they are added to the script if user defined rules for both address families in the Policy objects of the firewall.

Lets take a look at the policy of the template firewall. These rules are intended to be an example, a starting point to help you create your own policy quicker. Most likely you will want to modify them to suit your requirements. Explanation of the rules given here is rather brief because the goal of this guide was only to demonstrate how to use the Firewall Builder.

  • Rule 0: this is an anti-spoofing rule. It block incoming packets with source address that matches addresses of the firewall or internal or DMZ networks. The rule is associated with outside interface and has direction set to "Inbound".
  • Rule 1: this rule permits any packets on loopback interface. This is necessary because many services on the firewall machine communicate back to the same machine via loopback.
  • Rule 2: permit ssh access from internal network to the firewall machine. Notice service object "ssh" in the column "Service". This object can be found in the Standard objects library, folder Services/TCP.

Policy rules belong to the object "Policy", which is a child object of the firewall and can be found in the tree right below it. As any other object in Firewall Builder, Policy object has some attributes that you can edit if you double click on it in the tree.

  • Policy can be either IPv4, or IPv4 or combined IPv4 and IPv6. In the latter case you can use a mix of IPv4 and IPv6 addess objects in the same policy (in different rules) and Firewall Builder will automatically figure out which one is which and will sort them out.
  • Policy can translate to only mangle table, or a combination of filter and mangle tables. Again, in the latter case policy compiler decides which table to use based on the rule action and service object. Some actions, such as "Tag" (translates into iptables target MARK) go into mangle table.
  • "Top ruleset" means that compiler will place generated iptables rules into built-in chains INPUT/OUTPUT/FORWARD. If policy is not marked as "top ruleset", generated rules will go into user-defined chain with the name the same as the name of the policy object.

Here are preconfigured NAT rules.

  • Rule 0: tells the firewall that no address translation should be done for packets coming from network 192.168.2.0 going to 192.168.1.0 (because Translated Source, Translated Destination and Translated Service are left empty)
  • Rule 1: packets coming to the firewall from internal and DMZ networks should be translated so that source address will change and become that of the outside interface of the firewall.
  • Rule 2: packets coming from the Internet to the interface "outside" will be translated and forwarded to the internal server on DMZ represented by the host object "server on dmz".

Now we should be ready to compile the policy of the firewall "guardian" and generate an iptables script. To do this, select firewall in the tree and click right mouse button. Choose "Compile" in the pop-up menu. The dialog that appears lists all firewall objects defined in the objects tree and lets you select which ones should be compiled. The firewall "guardian" has just been created and has never been compiled and dialog shows that. Make sure checkbox next to the firewall object "guardian" is checked and click the Next button.

Firewall Builder calls policy compiler (which is an external program which can be used on the command line). The next page of the dialog shows compiler progress and result.

The compiler generates an iptables script in the file with the name the same as the name of the firewall object, with extension ".fw". The file is placed in the same directory where the data file .fwb is located.

 $ ls -la test2.fwb guardian.fw
-rwxr-xr-x 1 vadim vadim 11253 2009-02-16 16:41 guardian.fw
-rw-r--r-- 1 vadim vadim 24696 2009-02-16 16:41 test2.fwb
  

Here is how generated script looks liie. This is just a fragment from the middle to show some generated iptables commands.

# ================ IPv4


# ================ Table 'filter', automatic rules
$IPTABLES -P OUTPUT  DROP
$IPTABLES -P INPUT   DROP
$IPTABLES -P FORWARD DROP

cat /proc/net/ip_tables_names | while read table; do
  $IPTABLES -t $table -L -n | while read c chain rest; do
      if test "X$c" = "XChain" ; then
        $IPTABLES -t $table -F $chain
      fi
  done
  $IPTABLES -t $table -X
done


$IPTABLES -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# ================ Table 'nat',  rule set NAT
# NAT compiler errors and warnings:
#
#
# Rule 0 (NAT)
#
echo "Rule 0 (NAT)"
#
# no need to translate
# between DMZ and
# internal net
$IPTABLES -t nat -A POSTROUTING   -s 192.168.2.0/24 -d 172.16.22.0/24 -j ACCEPT
$IPTABLES -t nat -A PREROUTING   -s 192.168.2.0/24 -d 172.16.22.0/24 -j ACCEPT
#
  

Now you can transfer it to the firewall and execute it there to install the iptables rules. However it is much more convenient to use the built-in policy installer to do this. To use installer, click right mouse button on the firewall object in the tree and use menu item "Install". Firewall Builder will compile the policy if necessary and then open a dialog where you can configure parameters of the installer. Here you need to enter the password to authenticate to the firewall. Once you click OK, the installer will connect to the firewall using ssh client. First, it will copy generated script to the directory /etc on the firewall (or different one, if configured in the Installer tab of firewall settings dialog), then it will run this script and check for errors. Its progress will be visible in the panel of the installer wizard, just like the progress of policy compiler.

This guide walked you step by step through the process of creating of a firewall object, making some minor changes in its parameters and policy rules, compiling the policy and activating it on the firewall machine. This guide did not touch advanced topics such as built-in revision control system, working with multiple data files, working with multiple firewall objects, IPv6. You can find documentation and guides on these topics and more on our project web site at http://www.fwbuilder.org.

 

 


Posted by madduck (2001:0xx:0xx:0xxx:0xxx:0xxx:xx) on Mon 30 Mar 2009 at 19:54
[ Send Message ]

iptables syntax is not complicated and neither is netfilter packet flow. If you don't understand both of them, you should not be designing packet filter rulesets. Tools like fwbuilder can be helpful for those charged to create very complex rulesets who know exactly what they would otherwise do repetetively by hand, but they are definitely not a suitable replacement for learning iptables.

We usually leave it to other platforms to hide details behind pretty GUIs such that no knowledge is required to use them. The end result in those cases is usually not predictable, but then you also don't really have a way to verify it — nor the knowledge to do so.

I would suggest never to use an abstraction tool without understanding the basis first. This is Debian, after all…

[ Parent | Reply to this comment ]

Posted by Anonymous (2001:0xx:0xx:0xxx:0xxx:0xxx:xx) on Mon 30 Mar 2009 at 20:56
ᚠᛇᚻ᛫ᛒᛦᚦ᛫ᚠᚱᚩᚠᚢᚱ᛫ᚠᛁᚱᚪ᛫ᚷᛖᚻᚹᛦᛚᚳᚢᛗ ᛋᚳᛖᚪᛚ᛫ᚦᛖᚪᚻ᛫ᛗᚪᚾᚾᚪ᛫ᚷᛖᚻᚹᛦᛚᚳ᛫ᛗᛁᚳᛚᚢᚾ᛫ᚻᛦᛏ᛫ᛞᚫᛚᚪᚾ ᚷᛁᚠ᛫ᚻᛖ᛫ᚹᛁᛚᛖ᛫ᚠᚩᚱ᛫ᛞᚱᛁᚻᛏᚾᛖ᛫ᛞᚩᛗᛖᛋ᛫ᚻᛚᛇᛏᚪᚾ᛬

[ Parent | Reply to this comment ]

Posted by Steve (2001:0xx:0xx:0xxx:0xxx:0xxx:xx) on Mon 30 Mar 2009 at 20:57
[ Send Message | View Steve's Scratchpad | View Weblogs ]

ᚠᛇᚻ᛫ᛒᛦᚦ᛫ᚠᚱᚩᚠᚢᚱ᛫ᚠᛁᚱᚪ᛫ᚷᛖᚻᚹᛦᛚᚳᚢᛗ

Steve

[ Parent | Reply to this comment ]

Posted by Steve (2001:0xx:0xx:0xxx:0xxx:0xxx:xx) on Mon 30 Mar 2009 at 21:13
[ Send Message | View Steve's Scratchpad | View Weblogs ]

Sorry for the off-topic comments but UTF-8 should now work from Start to Finish:

    Sîne klâwen durh die wolken sint geslagen,
    er stîget ûf mit grôzer kraft,
    ich sih in grâwen tägelîch als er wil tagen,
    den tac, der im geselleschaft
    erwenden wil, dem werden man,
    den ich mit sorgen în verliez.
    ich bringe in hinnen, ob ich kan.
    sîn vil manegiu tugent michz leisten hiez.

Steve

[ Parent | Reply to this comment ]

Posted by Utumno (60.248.xx.xx) on Tue 31 Mar 2009 at 09:03
[ Send Message | View Utumno's Scratchpad | View Weblogs ]
Well, trying to paste some Chinese characters results in:

Software error:

Wide character in subroutine entry at Pages.pl line 1344.

For help, please send mail to the webmaster (webmaster@debian-administration.org), giving this error message and the time and date of the error.


Kinda proves my point: http://www.debian-administration.org/users/Utumno/weblog/46

[ Parent | Reply to this comment ]

Posted by Steve (2001:0xx:0xx:0xxx:0xxx:0xxx:xx) on Tue 31 Mar 2009 at 09:52
[ Send Message | View Steve's Scratchpad | View Weblogs ]

Grr. I've fixed that particular error...

Steve

[ Parent | Reply to this comment ]

Posted by Utumno (60.248.xx.xx) on Tue 31 Mar 2009 at 10:23
[ Send Message | View Utumno's Scratchpad | View Weblogs ]
供應商都依自身觀點來預測景氣,而不是研究市場情報,煞車太急,根本來不及因應急單,」去年底,宏碁董

[ Parent | Reply to this comment ]

Posted by Utumno (60.248.xx.xx) on Tue 31 Mar 2009 at 10:25
[ Send Message | View Utumno's Scratchpad | View Weblogs ]
С утверждением о необходимости экономических реформ согласились 70% опрошенных, проживающих в 29 странах мира. Опрос по заказу Би-би-си был проведен в преддверии начинающегося в Лондоне саммита "большой двадцатки".

[ Parent | Reply to this comment ]

Posted by Utumno (60.248.xx.xx) on Tue 31 Mar 2009 at 10:26
[ Send Message | View Utumno's Scratchpad | View Weblogs ]
最新曲「MATERIAL WORLD」で、“金髪のショートカット”という斬新なヴィジュアルを披露したシンガー、Sowelu。なぜ? と思ったファンも多いはず……そんなギモンを独占取材&ファッションシューティングで一発解決!

[ Parent | Reply to this comment ]

Posted by Utumno (60.248.xx.xx) on Tue 31 Mar 2009 at 10:28
[ Send Message | View Utumno's Scratchpad | View Weblogs ]
أخماس مساحتها، ويحد المملكة العربية السعودية من الشمال كل من العراق والأردن و الكويت، و من الشرق الإمارات وقطر والبحرين و الخليج العربي، و الجنوب كل من سلطنة عُمان واليمن.ومن الغرب البحر الأحمر ..

تميزت شبه الجزيرة العربية بموقعها الأستراتيجي بين ثلاث قارات كبرى وتقع في النصف الشمالي للكرة الأرضية موطنا للعديد من الحضارات، ومهداً للرسالات السماوية. فقد ازدهرت فيها داخل حدود المملكة حضارة مدين، بالإضافة إلى حضارة ثمود في العلا والتي لاتزال آثارها موجودة حتى اليوم في المنطقة ا

[ Parent | Reply to this comment ]

Posted by Utumno (60.248.xx.xx) on Tue 31 Mar 2009 at 10:30
[ Send Message | View Utumno's Scratchpad | View Weblogs ]
הכנס הזה היא דיון על איך לבנות מחדש אמון בשווקים הכלכליים ו"לייצב מחדש" את הכלכלה העולמית שנתונה במשבר כלכלי. הפגישה מורכבת משרי כלכלה מהבנק האירופאי המרכזי, מקרן המטבע הבינלאומית, מהאיחוד האירופי, והבנק העולמי.

[ Parent | Reply to this comment ]

Posted by Utumno (60.248.xx.xx) on Tue 31 Mar 2009 at 10:32
[ Send Message | View Utumno's Scratchpad | View Weblogs ]
สัมภาษณ์ถึงการประชุมคณะรัฐมนตรี (ครม.) วันนี้ ว่า ตนมีหน้าที่ประเมินสถานการณ์เป็นระยะ ๆ เนื่องจากเช้าวันนี้มีกำหนดการเข้าเฝ้าฯ ถวายพระพรสมเด็จพระเทพรัตนราชสุดาฯ สยามบรมราชกุมารี และเห็นว่าสถานการณ์ยังไม่เอื้ออำนวยที่จะจัดประชุม ครม. ในวันนี้ ขณะเดียวกันนายกรัฐมนตรีจะเดินทางไปประชุม G 20 ในต่างประเทศ จึงตัดสิน

[ Parent | Reply to this comment ]

Posted by Steve (2001:0xx:0xx:0xxx:0xxx:0xxx:xx) on Tue 31 Mar 2009 at 11:52
[ Send Message | View Steve's Scratchpad | View Weblogs ]

I guess we call this success...

Steve

[ Parent | Reply to this comment ]

Posted by daemon (146.231.xx.xx) on Tue 31 Mar 2009 at 17:38
[ Send Message | View Weblogs ]

Shouldn't some of those be right to left?

(ducks and runs for cover...)

[ Parent | Reply to this comment ]

Posted by chris (213.187.xx.xx) on Tue 31 Mar 2009 at 18:02
[ Send Message | View Weblogs ]
Hmm - I get the left to right here but I got them right to left in google reader via RSS (well - one of them I think it was)

[ Parent | Reply to this comment ]

Posted by Anonymous (59.57.xx.xx) on Wed 1 Apr 2009 at 09:50

肥姨所思 缠绵匪侧 棒推棒就 百蜇不饶 鲍露无遗 杯翻梨合 步步为淫 峰满逼露 茶盐观色 尝屎精吞 操姊过急 瞅出满痔 高僧莫测 黄不胜黄 捕蜂捉蝇 港币自用 得龙望鼠 高三流水 搓搓有鱼 虫见天日 公德五两

[ Parent | Reply to this comment ]

Posted by yarikoptic (69.125.xx.xx) on Thu 2 Apr 2009 at 03:05
[ Send Message ]
just my few cents since I disagree with Martin

> I would suggest never to use an abstraction tool without understanding the
> basis first.
Following your logic noone should use GUI under linux without understanding of X... or create personal websites without understanding of HTML etc.

Such abstraction tools are good and useful for regular users and it is great to have them available in Debian, which is no longer for 'servers only' ;) And it is better to craft a firewall with such tool for personal protection in contrast to having none. Sure, sometimes the false sense of security might hurt, but well -- everyone can burn himself and learn something new ;

[ Parent | Reply to this comment ]

Posted by ajt (195.112.xx.xx) on Sat 4 Apr 2009 at 13:53
[ Send Message | View Weblogs ]

I must disagree with you and side with Martin on this one. You should have some understanding of what is going on when you use some "magic" tool. You don't need to know all the details but it does help to have a conceptual idea.

In some cases the underlying technology is easy to use and I believe that the tool offers no real benefit and only produces rubbish, e.g. FrontPage gives you dreadful websites. Sometimes the tool makes something hard easy, and there is a danger that if it's something important like your firewall security then you could be in danger of doing something very stupid that you would not have otherwise done.

For example the GUI makes using a computer very easy. I strongly believe anyone can use a computer if it's properly set up for them. They only need to know a few concepts and the programmer/administrator takes care of the rest. A company based in the Pacific north west has convinced everyone that you can administer a system using the same GUI without learning any of the underlying technology. In my experience most Windows systems are dangerous not because the code is rubbish (which it is) but because they are so awfully set-up and maintained.

I think the point is that sometimes it's worth taking time to learn some things, and I think in this case a firewall is worth learning about before you playing with a GUI.

I don't think it's an elitist or snobby position to take but some of the problems that Windows users have is their laziness and they should be encouraged to put a little effort in if they want to make progress with anything - Linux included.

--
"It's Not Magic, It's Work"
Adam

[ Parent | Reply to this comment ]

Posted by AJxn (130.243.xx.xx) on Tue 7 Apr 2009 at 19:51
[ Send Message | View Weblogs ]
I do not agree on this. It depends on what to do. To use the computer as a user, you should have basic knowled about how to operate the user interface. If you know a bit about the underlaying OS, you will know the limits of what you can do and not do, and understand why.

More so when you administrate a computer. This tool is not to protect your one computer (ufw is better for that task), it is to protect your network. And you have mutch more at stake here. So to know, at least in principle, how it works make you a much better administrator, and will know what you can do and can not. It also helps you (with a bit less luck :D) to avoid the big mistakes.

So to be good in your trade, you need knowled. No fancy GUI or CLI will ever change that. But it will make you a happier user/administrator if you use those tools and know what is generated, and don't need to make stupid spelling misstakes.

[ Parent | Reply to this comment ]

Posted by lters (12.162.xx.xx) on Mon 30 Mar 2009 at 20:09
[ Send Message | View lters's Scratchpad | View Weblogs ]
Thanks for doing a clear howto.

While I use iptables extensively and appreciate the syntax and flexibility, sometimes tools like this help to just get the visual picture in your mind.

respectfully, lters

[ Parent | Reply to this comment ]

Posted by Anonymous (2001:0xx:0xx:0xxx:0xxx:0xxx:xx) on Thu 2 Apr 2009 at 09:01
Question: Why is this blog called ,,Debian Administration" when i have to see Ubuntu stuff on the first screenshot? I want my money back :).

The article is good, i prefer to use iptables like a pro, but i'll take a look into this application.

[ Parent | Reply to this comment ]

Sign In

Username:

Password:

[Register|Advanced]

 

Flattr

 

Current Poll

Which init system are you using in Debian?






( 1017 votes ~ 6 comments )