Re: [Shorewall-users] Need a little assistance.

[Tom E. <te...@sh...>]

Tom Eastep wrote:
> Tom Campion wrote:
>> Tom,
>>
>> Was hoping you could point me in the right direction. I'm an iptables
>> novice and have been trusting my configuration to Shorewall but have
>> run into some pushback from a colleague. I've never taken the time to
>> learn iptables so I dont know the meaning of all the rules or what
>> is really going on. My problem is I have to explain why Shorewall is
>> doing or figure out a way to make the output more basic (be able to
>> leave things out). My colleague has suggested the rule set produced
>> by Shorewall is too "busy and inefficient" (whatever is meant by
>> that).I believe my colleague to be as familiar with iptables as I am
>> and is getting hung up by all the chains. I think he would prefer to
>> see the default 3 (input, forward, and output)and nothing more.
> 
> The Shorewall configuration is designed to scale to 100s of zones with
> many rules in each coordinate of the zones->zone matrix. A newbie
> configuration of INPUT, FORWARD and OUTPUT scales miserably.

Two questions that your colleague should ask when evaluating Shorewall's
ruleset against the '100s of rules in FORWARD' approach are:

a) How many rules, on average, does a packet that is part of an
established connection traverse?

b) How many rules, on average, does a packet representing a connection
request traverse.

When answering those questions, I think the approach taken in Shorewall
becomes clearer.

Now if you have very simple-minded firewall requirements, Shorewall's
approach is probably overkill. But if your requirements are that simple,
maybe Shorewall itself is overkill for your particular application.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________