lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <42173.207.81.153.6.1088558858.squirrel@207.81.153.6>
From: eric at arcticbears.com (Eric Paynter)
Subject: PIX vs CheckPoint

On Tue, June 29, 2004 4:57 pm, Gary E. Miller said:
> I agree, except for one small problem.  Don't you still have to delete
> ALL the filter rules, and reenter them ALL to change the order of the
> rules?

I don't administer the PIX boxes, so I don't know the details of the
interface. My statements were based on what the admins told me. However,
isn't the beauty of any CLI app that you can do all your administration
through simple scripts?

Personally, I use iptables firewalls. With iptables, my "config" file is
really the script that loads the rules. When I make a change to the rules,
it is to add/alter/remove a line from that script. The script is executed
on boot and after any changes. I would assume the same is standard
practice for PIX.

The other benefit of a scripted config is you can test it on another
machine, and once you're sure you've got it right, you can copy the script
over to the production machine. Reduces errors.

You're not entering rules by hand into a production firewall, are you?
:shock:

-Eric


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ