Re: [tlug] *Small* NAT/DMZ/LAN h/w suggestions?

[tlug@example.com]

2007-05-31 (æææ) 09:41ãKeith Bawden ãããæãããã:
> I'm not sure if I follow you here. You are saying you distrust these
> tools and then you go on to say how great one of these tools is...

I distrust the output of such tools in most cases because I am not satisfied 
with the output.  I have learned, however, that not only do a few good 
firewall generation programs exist, but they can actually be better than 
hand-writing a firewall.  I found that suprising, because I had previously 
thought that hand-written firewalls would always be superior.

> I see no issue with generating your firewall rules with a GUI or CLI
> tool. If you are knowledgeable enough in iptables then you can simply
> run iptables -L and inspect the rules that were generated. From there
> you can use these rules as a base to tweak until your heart is
> content, or leave them as is if you are satisfied with them...

I agree 100%.

> In the end I still think that knocking up a box and throwing some hand
> built system on their for a business "may" not be the best way to go.
> Unless of course you are a consultant and are willing to support this
> custom box/system for the business in question. After all their
> business may rely on reliable network connectivity, and may need
> support whilst you are at your normal day job...

I agree 100% here as well.

Sorry for the confusion; I just got on a tangent because Edward said:
>>  I have an inate distrust of GUI and/or web based config tools. Especially
>>  where security is concerned, I would really want to know what they are
>>  doing. And by the time I figured that out, I might as well have done it
>>  myself
My purpose in replying to the email was to express my opinion that there 
actually are reasons to use (good) config tools, even for those of us who 
tend to distrust them.

Regards, Travis