[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <42173.207.81.153.6.1088558858.squirrel@207.81.153.6>
From: eric at arcticbears.com (Eric Paynter)
Subject: PIX vs CheckPoint
On Tue, June 29, 2004 4:57 pm, Gary E. Miller said:
> I agree, except for one small problem. Don't you still have to delete
> ALL the filter rules, and reenter them ALL to change the order of the
> rules?
I don't administer the PIX boxes, so I don't know the details of the
interface. My statements were based on what the admins told me. However,
isn't the beauty of any CLI app that you can do all your administration
through simple scripts?
Personally, I use iptables firewalls. With iptables, my "config" file is
really the script that loads the rules. When I make a change to the rules,
it is to add/alter/remove a line from that script. The script is executed
on boot and after any changes. I would assume the same is standard
practice for PIX.
The other benefit of a scripted config is you can test it on another
machine, and once you're sure you've got it right, you can copy the script
over to the production machine. Reduces errors.
You're not entering rules by hand into a production firewall, are you?
:shock:
-Eric
Powered by blists - more mailing lists