wfdudley wrote:
> I'm not sure what "pulled all documentation from the up-stream config
> files in favor of man pages" means, but when I type "man shorewall-rules"
> I get the helpful message "man: not found", so that's "a fail", in the current
> parlance. I understand that's somebody else's problem, but it's still broken.
Not exactly. The fact that the man pages are missing is simply due to
trying to keep as small a footprint as possible. Since Tom keeps an
abundance of good documentation online, this only is an issue when the
LEAF box one is trying to set up is one's only means to connect to the
internet (been there, done that - it's not much fun).
> So the answer to my initial query appears to be that in order to configure a
> LEAF/Bering/Shorewall router firewall, one has to read all the man pages
> for the 30 or so configuration files,
Reading all of the documentation is not needed - reading all of the
_relevant_ documentation should be sufficient. For the average firewall,
I doubt you'd need to change more than 5 to 10 config files - reading
the manpages of all 30 (if that's the number), especially since Tom
provides very good introductory documentation, that tells you what files
need to be changed for a specific purpose, seems superfluous to me. That
is, unless he has pulled a lot of documentation since the last time I
checked.
But of course, reading _all_ of the docs is always a good idea, since it
tells you what other things (that you might not need right now)
shorewall can do.
> plus have a solid understanding of the
> particular version of ip filtering that is on that week's version of Linux.
Not really (but your take on that is as good as mine) - I always felt
that shorewall took out the need of having to know about the details of
how Netfilter/IPTables worked, and let me work on a more task-oriented
basis. Maybe one needs to have got one's "hands dirty" with writing
IPTables rules by hand to appreciate what shorewall does, but to me, it
has been a huge timesaver for even somwhat complicated setups (I won't
claim shorewall can do everything imaginable - but so far, it did well
on everything I needed).
> This is obviously designed as a deterrent against having too many users. :-)
> I want to set up a firewall, not take a semester course in networking.
I'll take your work on that. I did take a "semester course" in
networking back at college, but that one didn't cover firewalls at all -
instead, we talked about the "OSI-Model" for ages... How good can those
courses be anyway? I took quite a few "semester courses" in my days at
college, and few of them taught me anything about actually doing the
real thing...
But either way, having an understanding of what one is actually doing
while setting up a firewall is, IMHO, a good idea.
If you feel all that's needed is a pretty GUI, try setting up an IPSEC
connection on Windows 2000 - I've done it once years ago, and despite
the pretty GUI, I've never tried it again (I'm a happy OpenVPN user
since then - and OpenVPN relies solely on config files...)
> If I had more knowledge of Linux networking/ip filtering/etc. I'd take the web
> UI from pfSense or m0n0wall and graft it on to this mess and make a REAL
> appliance firewall. Tragically, what with the job and all, that's unlikely.
That is true for most of us, I'm afraid. This is why only the stuff that
"scratches an itch" of the people willing to do the work will get done.
If messing with config files, especially if they're well documented (on
the shorewall site), gets things done, I'm afraid that few people will
spend hours (or more likely much more) on creating a web GUI on
something that only takes minutes on changing in a text editor. If such
a person can be found, and submits the results of his/her work, I'm sure
it will be accepted and made part of the base image - but so far, nobody
has put in that kind of work.
I guess that's the difference between something driven by "a need one
has" versus something that's driven by marketing, trying to sell a
product (both kinds of products have their own share of challenges, I
guess, going by my own experience).
> I'd be USING pfSense or m0n0wall, but their FreeBSD kernel and drivers are
> flakey with my Alix2c3, so I'm left running an ancient Eigerstein/Dachstein on
> a P60 desktop machine.
I would have suggested m0n0wall, but it sounds like you tried it
already. I've been using LEAF on my Alix box for several years (I
started with an old 486 box with two floppies, moved on to a Soekries
4501, moved on to a Soekris 4801 after that, then to a WRAP box, and
later switched to ALIX boxes, and I've never had any issues using LEAF
on _any_ of those). Oh, and I still use that "dated" version of Bering
uClibc 3.x - I'm keeping my fingers crossed that the current effort by
Andrew, David and kp (and the other people I forgot to mention) to bring
things up to date, and get things running with a 2.6 kernel, will be
successful - but so far, that outdated version suits my needs just fine.
> I have a network that the cheapo Linksys/Netgear
> consumer routers won't handle, so I guess I'm stuck with my ancient LRP
> until the hardware fails.
Well, if you let people know what your specific need are, or what
exactly you're struggling with (other than the lack of a GUI), I'm sure
somebody will speak up.
Martin
--
Though we have heard of stupid haste in war,
cleverness has never been seen associated with long delays.
Sun Tzu, The Art of War
------------------------------------------------------------------------------
The Next 800 Companies to Lead America's Growth: New Video Whitepaper
David G. Thomson, author of the best-selling book "Blueprint to a
Billion" shares his insights and actions to help propel your
business during the next growth cycle. Listen Now!
http://p.sf.net/sfu/SAP-dev2dev
------------------------------------------------------------------------
leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/
