Russ Pitman <rjp@belle.apana.org.au> wrote:> BTW I think ''shorewall'' is the best thing sinced sliced
bread.
For me, Shorewall *is* sliced bread.
Many of my clients are small businesses requiring a firewall/gateway and
the power of Linux iptables. They often have someone competent enough
to know the issues and the kind of security policy they want. However,
they generally don''t have the technical resources to gain an adequate
understanding of iptables, or to apply all the boring but necessary
defaults and debugging.
Shorewall is at just the right level of abstraction. For those clients
who have a part-time understanding of the traffic passing across their
networks, it allows them to express security policy rules as firewall
rules with very little effort.
For them to do the same in iptables directly would be far too much
effort and prone to mistakes. For them to use a black-box firewall
device would give them very little flexibility.
My clients are happy, because they don''t need to keep paying for me to
come in and make trivial rules changes. I''m happy, because they call
me
in anyway when they have something more interesting to do (and pay me
for). I get bread (sliced!) on my table.
Thank you so much for Shorewall, Tom! Thanks also to all the people who
help develop and document it.
--
\ "Experience is that marvelous thing that enables you to |
`\ recognize a mistake when you make it again." -- Franklin P. |
_o__) Jones |
bignose@zip.com.au F''print 9CFE12B0 791A4267 887F520C B7AC2E51
BD41714B