On 24 Dec 01, at 12:21, Lee Roberts wrote: > At 09:59 AM 12/24/2001 -0700, D. R. Evans wrote: > > > >It took me a non-trivial amount of time to figure out what was going on, > >and then remove all the Bastille rulesets so that I could put my own > >iptables firewall in place. > > Wouldn't iptables -F do the job of clearing all the rules? >
Yes -- after one has figured out that "Tiny firewall" is really Bastille then one has read the Bastille documentation to discover that it uses iptables and finally one has read the iptables documetation to come across this command. And of course it's much cleaner to do what one wants the first time rather than have some Bastille configuration load itself and then get over-ridden by a new set of iptables in the boot sequence; so while "iptables -F" does the job, it's not the best solution. The real time-waster here was the inability to back out the firewall stuff once had started going through the MCC set-up process. The second biggest time-waster was figuring out that "Tiny firewall" is really _not_ Tiny firewall (which is a Windoze product) but something called "Bastille", which turns out to be an iptables-based firewall. If, like me, you didn't know any of this and expected to be able to configure a firewall from MCC with port-by-port control, then you, again like me, would spend a lot of time figuring this stuff out. Some configuration things in Mandrake are really great (Internet Connection Sharing comes to mind -- at least, it worked great when I set it up, just click and bingo! all done). Others need more work before they are going to be usable by Windows weenies: the firewall stuff and the printing configuration come immediately to mind. Yes, I figured out how to build a firewall eventually, but only because I knew enough to start ferretting out information about iptables rather than relying on the MCC. > > > >The MCC thing is OK IF 1: you don't ever want to get rid of what it does > >for you; 2: you're running a standard system (so that, for example, when > >it asks if you want to block HTTP access, you recognise that it's going > >to assume that you are running the http daemon on port 80 and not give > >you a way to over-ride the default). > > > > I believe there are confuration files that can be edited to change the > default port. But, I'm not a networking expert (yet). > You just change the port in httpd.conf. My point was that it is the firewall config thing in MCC that didn't allow the firewall to let through the right port. Now, I recognise that it's called "Tiny firewall" for a reason, so it's not too bad if it doesn't give one fine control -- but once one has realised this, it is too late and there's no "click here to remove the firewall" option. So one has to go through all the pain of figuring out what is really going on under the hood. Which is OK (I guess) for techies, but not for your average user. Doc -------------------------------------------------------------- Phone: +1 303 494 0394 Mobile: +1 720 839 8462 Fax: +1 781 240 0527 --------------------------------------------------------------
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com