wfdudley wrote: > I'm not sure what "pulled all documentation from the up-stream config > files in favor of man pages" means, but when I type "man shorewall-rules" > I get the helpful message "man: not found", so that's "a fail", in the current > parlance. I understand that's somebody else's problem, but it's still broken. Not exactly. The fact that the man pages are missing is simply due to trying to keep as small a footprint as possible. Since Tom keeps an abundance of good documentation online, this only is an issue when the LEAF box one is trying to set up is one's only means to connect to the internet (been there, done that - it's not much fun).
> So the answer to my initial query appears to be that in order to configure a > LEAF/Bering/Shorewall router firewall, one has to read all the man pages > for the 30 or so configuration files, Reading all of the documentation is not needed - reading all of the _relevant_ documentation should be sufficient. For the average firewall, I doubt you'd need to change more than 5 to 10 config files - reading the manpages of all 30 (if that's the number), especially since Tom provides very good introductory documentation, that tells you what files need to be changed for a specific purpose, seems superfluous to me. That is, unless he has pulled a lot of documentation since the last time I checked. But of course, reading _all_ of the docs is always a good idea, since it tells you what other things (that you might not need right now) shorewall can do. > plus have a solid understanding of the > particular version of ip filtering that is on that week's version of Linux. Not really (but your take on that is as good as mine) - I always felt that shorewall took out the need of having to know about the details of how Netfilter/IPTables worked, and let me work on a more task-oriented basis. Maybe one needs to have got one's "hands dirty" with writing IPTables rules by hand to appreciate what shorewall does, but to me, it has been a huge timesaver for even somwhat complicated setups (I won't claim shorewall can do everything imaginable - but so far, it did well on everything I needed). > This is obviously designed as a deterrent against having too many users. :-) > I want to set up a firewall, not take a semester course in networking. I'll take your work on that. I did take a "semester course" in networking back at college, but that one didn't cover firewalls at all - instead, we talked about the "OSI-Model" for ages... How good can those courses be anyway? I took quite a few "semester courses" in my days at college, and few of them taught me anything about actually doing the real thing... But either way, having an understanding of what one is actually doing while setting up a firewall is, IMHO, a good idea. If you feel all that's needed is a pretty GUI, try setting up an IPSEC connection on Windows 2000 - I've done it once years ago, and despite the pretty GUI, I've never tried it again (I'm a happy OpenVPN user since then - and OpenVPN relies solely on config files...) > If I had more knowledge of Linux networking/ip filtering/etc. I'd take the web > UI from pfSense or m0n0wall and graft it on to this mess and make a REAL > appliance firewall. Tragically, what with the job and all, that's unlikely. That is true for most of us, I'm afraid. This is why only the stuff that "scratches an itch" of the people willing to do the work will get done. If messing with config files, especially if they're well documented (on the shorewall site), gets things done, I'm afraid that few people will spend hours (or more likely much more) on creating a web GUI on something that only takes minutes on changing in a text editor. If such a person can be found, and submits the results of his/her work, I'm sure it will be accepted and made part of the base image - but so far, nobody has put in that kind of work. I guess that's the difference between something driven by "a need one has" versus something that's driven by marketing, trying to sell a product (both kinds of products have their own share of challenges, I guess, going by my own experience). > I'd be USING pfSense or m0n0wall, but their FreeBSD kernel and drivers are > flakey with my Alix2c3, so I'm left running an ancient Eigerstein/Dachstein on > a P60 desktop machine. I would have suggested m0n0wall, but it sounds like you tried it already. I've been using LEAF on my Alix box for several years (I started with an old 486 box with two floppies, moved on to a Soekries 4501, moved on to a Soekris 4801 after that, then to a WRAP box, and later switched to ALIX boxes, and I've never had any issues using LEAF on _any_ of those). Oh, and I still use that "dated" version of Bering uClibc 3.x - I'm keeping my fingers crossed that the current effort by Andrew, David and kp (and the other people I forgot to mention) to bring things up to date, and get things running with a 2.6 kernel, will be successful - but so far, that outdated version suits my needs just fine. > I have a network that the cheapo Linksys/Netgear > consumer routers won't handle, so I guess I'm stuck with my ancient LRP > until the hardware fails. Well, if you let people know what your specific need are, or what exactly you're struggling with (other than the lack of a GUI), I'm sure somebody will speak up. Martin -- Though we have heard of stupid haste in war, cleverness has never been seen associated with long delays. Sun Tzu, The Art of War ------------------------------------------------------------------------------ The Next 800 Companies to Lead America's Growth: New Video Whitepaper David G. Thomson, author of the best-selling book "Blueprint to a Billion" shares his insights and actions to help propel your business during the next growth cycle. Listen Now! http://p.sf.net/sfu/SAP-dev2dev ------------------------------------------------------------------------ leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/