Christopher, The 'best practice' may be to not edit the firewall.conf file directly. Originally when I added Arno's firewall, it was the only way. I still have several configurations that have edits to that file. If you leave the changes out of those files, it makes it easier to upgrade when newer plugins are released for the firewall or if a major version change happens (as we will see when 0.7.x is released in the future).
When migrating to future versions, you will likely need to take all of your changes in firewall.conf and use a new copy of that file from /stat/etc/... This will be necessary when the 0.7.x releases come out because they will be based on a newer version of Arno's firewall which has some configuration changes. NONE of this requires the user of a web interface. You can simply add some additional variables to either the end of rc.conf if you use a single rc.conf file or to user.conf in the /mnt/kd/rc.conf.d/ directory. The astlinux.shim file then reads the rc.conf file and sets some of the network configuration settings for the firewall. The web interface stores some of these rules in /mnt/kd/rc.conf.d/gui-firewall.conf. It doesn't know how to read the firewall.conf file directly so if you do want to move from NOT using the gui, to using the gui, you'll probably have to re-create your rules. After you've done so, make sure you put a stock copy of firewall.conf into the /mnt/kd/arno-iptables-firewall directory from /stat/etc... Hopefully that's a little clearer. Darrick Chris Abnett wrote: > I didn't know I wasn't supposed to edit the firewall.conf file directly.. > that is how I have been setting up all my firewall rules... is by editing > the file directly.... > > Setting the int_if trust parameter works like a champ.... thank you for the > tip... > > As for setting up my networks? I purposely wanted the devices on eth2 on a > different subnet than my devices on eth1.. and normally they don't have to > talk to each other except when I want to Config one of them from a laptop > located in the other network... its done this way purposely.... > > Im not real big on using web interfaces for anything and everything... am I > really supposed to be using the web interface in this case? Does the > interface not go and look at the firewall file and read all of its contents > before writing changes? > -Christopher > > -----Original Message----- > From: Lonnie Abelbeck [mailto:[email protected]] > Sent: Thursday, March 26, 2009 8:07 PM > To: AstLinux Users Mailing List > Subject: Re: [Astlinux-users] How to route between Internal Interfaces? > > > On Mar 26, 2009, at 6:31 PM, Darrick Hartman wrote: > >> Lonnie, >> >> I think you need to be clear on this. We're trying to encourage users >> NOT to directly edit the firewall.conf file, but rather take the >> variable (in this case INT_IF_TRUST) and add it to their user.conf >> file >> in /mnt/kd/rc.conf.d/ (or /mnt/kd/rc.conf if using just the single >> file). > > Yes, adding to user.conf (Advanced User System Variables) is what I > meant. > >> Also is, there a web interface check box for this option? > > Not for this case. The Firewall tab has a setting that uses the > INT_IF_TRUST variable related to OpenVPN... > > __ Allow OpenVPN tunnel to the [ 1st LAN Interface ] > > It is best if the network is designed so different LAN's don't have > the need to talk with each other. > > Another option is to define a LAN and a DMZ subnet and add DMZ to LAN > rules. Which can all be done via the web interface. > > The last option is as suggested... > INT_IF_TRUST="eth1 eth2" > > Lonnie > > >> Directly editing the firewall.conf file will require additional work >> in >> the future when migrating to versions of Astlinux starting at 0.7.0 >> which uses a new version of Arno's firewall (with incompatible config >> files--an issue that we're trying to address now). >> >> Darrick >> >> Lonnie Abelbeck wrote: >>> Chris, >>> >>> Arno's Firewall by default denys traffic between LAN interfaces/ >>> subnets. >>> >>> If you add to your config... >>> >>> INT_IF_TRUST="eth1 eth2" >>> >>> should do the trick. >>> >>> Lonnie >>> >>> >>> >>> On Mar 26, 2009, at 5:17 PM, Chris Abnett wrote: >>> >>>> I have 3 Interfaces set up on my Astlinux box as it is also used as >>>> my Home router. >>>> >>>> Eth0 - Internet >>>> Eth1 - LAN 1 (172.16.1.0/24) >>>> Eth2 - LAN 2 (192.168.100.0/24) >>>> >>>> I want a device on the network behind eth1 to be able to reach a >>>> device that is behind eth2.. say 172.16.1.99 being able to talk to >>>> 192.168.100.2 (example) >>>> >>>> I am using arno's firewall.. the astlinux box can talk to both >>>> devices.. I just cant get the 2 nets to talk to each other.. >>>> Any ideas? >>>> -Christopher >>>> > ---------------------------------------------------------------------------- > -- >>>> _______________________________________________ >>>> Astlinux-users mailing list >>>> [email protected] >>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>>> >>>> Donations to support AstLinux are graciously accepted via PayPal >>>> to [email protected] >>>> . >>> >>> > ---------------------------------------------------------------------------- > -- >>> _______________________________________________ >>> Astlinux-users mailing list >>> [email protected] >>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>> >>> Donations to support AstLinux are graciously accepted via PayPal to > [email protected] >>> . >> >> > ---------------------------------------------------------------------------- > -- >> _______________________________________________ >> Astlinux-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/astlinux-users >> >> Donations to support AstLinux are graciously accepted via PayPal to > [email protected] >> . >> >> > > > ---------------------------------------------------------------------------- > -- > _______________________________________________ > Astlinux-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > [email protected]. > > > ------------------------------------------------------------------------------ > _______________________________________________ > Astlinux-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > [email protected]. ------------------------------------------------------------------------------ _______________________________________________ Astlinux-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to [email protected].
