From: Christian V. <vi...@op...> - 2008-12-01 13:23:16
|
Ok, just putting a few answers together. Karsten Bräckelmann wrote: > To put it in other words: Isn't the shorewall configuration sufficient > to get a picture of allowed traffic? > > Since you specifically mentioned "small businesses", how large and > complicated are your policies and rules? The rules file has nearly 1000 lines (a third of them are comments or blank lines), we have about twenty zones and interfaces defined (and yes, we really need them). Of course the shorewall configuration is much pretty readable, but you have to arrange your rules in one or the other way. And there are rules applying to groups of destinations. So it's nearly impossible to arrange the rules in such a manner that all lines affecting a distinct host or zone are grouped together. Shorewall Geek wrote: > The output of 'shorewall dump' tells you everything you ever need > to know about your Shorewall configuration. Of course, you have to > understand IP networking, Linux Networking and Netfilter in order to > interpret the output. And this is the point. Not all employees are at the same high skill level. So there is the wish to have a little command line tool (perhaps it could even be embedded in an apache service), where you put in a host name or ip address, and you get out a compact listing of allowed connections to/from this host. I don't think that it's very much work to write such a tool. I just wondered, if or how someone else solved this problem. Perhaps there are other ways to enable a compact view on the firewall rules I don't think of. Thank you for your attention, Christian |