Started looking at the SuSE firewall scripts today. They’re quite nice, actually. So far, they look like they’ll support everything I want to do without any trouble. What’s really nice about it is the resulting script is much more readable than a string of iptables commands (where I’d have to specify the ACCEPT, NAT, and FORWARD for inbound services generally in different places).
What I’d really like to see would be an m4-based version of the script. It’s good enough for sendmail and autoconf, why not iptables? :) That would totally rock, because then I’d be able to see the resulting list of iptables commands. I bet there’s a place somewhere to see them now; but I just haven’t looked.
I’m hoping that this firewall configuration will play nice with heartbeat, which I’ll be using to do some high-availability work on the firewall pair. I’ve had to fight a little with SuSE over the interface names (I want to name the network interfaces after their function, not their boot order). udev has been quite friendly, but SuSE seems to have special meanings for various separator characters. I wanted to have “eth-internal”, etc, but it seems to strip “eth-“. And “eth_internal” turns into “eth/internal”. So, I’m just using “etinternal” instead. :P
© 2005, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.