[Firehol-support] what comes after firehol?
pgf at foxharp.boston.ma.us
Sun Jun 12 16:03:29 BST 2011
thanks everyone. okay, i'm somewhat reassured that firehol hasn't
become irrelevant, and private mail from phil whineray regarding his
ipv6 mods tells me that there's at least some continued interest in
> Advanced Policy Firewall
> (http://www.rfxn.com/projects/advanced-policy-firewall/) seems to
> be similar to firehol. I've looked at it but haven't tried it out
> since firehol still meets my needs.
thanks -- somehow that hadn't turned up in my searches. no ipv6 support
(promised "soon" about 7 months ago) though.
> fwbuilder is, in my mind, quite different and not nearly as useful, since it
> can't be scripted. It's fundamentally a GUI tool, and I find that the GUI
> actually obscures the high-level view that I want of my firewall. A
> firehol+bash script is clearer and more flexible.
when i first started using fwbuilder, i actually found the gui/drag-n-drop
model to be quite nice. but as time goes on, i think i agree with you.
anyway, i'll stick with firehol for the time being.
as i mentioned, i have changes to firehol which let it build a script
on one machine which will run on another -- in my case the target is
openwrt. (i'd rather not install bash on my embedded router.) i have
those patches in my own git tree, and they're not really ready for
public consumption. i think i should probably start over using phil's
ipv6 tree as a basis before trying to clean them up.
oh -- as for the get-iana.sh thing -- i also have changes (based on
an XML extractor script written in shell) which update get-iana.sh to
use the new IANA file. the output, after run through "aggregate",
RESERVED_IPS="0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 188.8.131.52/3"
do other people agree? given this, as others have said, i don't think
the get-iana mechanism is really worth maintaining anymore.
paul fox, pgf at foxharp.boston.ma.us (arlington, ma, where it's 48.9 degrees)
More information about the Firehol-support