Re: [opensuse] simple firewall scripts
Fri, 27 Jul 2007, by [EMAIL PROTECTED]: > I plan to look at shorewall but thought I'd just ask here for > recommendations. Look no further. Theo -- Theo v. WerkhovenRegistered Linux user# 99872 http://counter.li.org ICBM 52 13 26N , 4 29 47E. + ICQ: 277217131 SUSE 10.2 + Jabber: [EMAIL PROTECTED] Kernel 2.6.20 + See headers for PGP/GPG info. Claimer: any email I receive will become my property. Disclaimers do not apply. -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [opensuse] simple firewall scripts
Theo v. Werkhoven wrote: > Fri, 27 Jul 2007, by [EMAIL PROTECTED]: > > >> I plan to look at shorewall but thought I'd just ask here for >> recommendations. >> > > Look no further. > I personally prefer the basic linux firewall module that comes with webmin. I found it very easy to understand, and easier to implement exactly the rules I wanted than with the suse firewall. YMMV Joe -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [opensuse] simple firewall scripts
Wolfgang Rosenauer wrote: > Hi, > Hi, > for smaller installations (using a Linux gateway) I used to use > SuSEfirewall2 which basically has everything I needed so far. > > Now I'd something for another usecase: > An old Linux gateway (with SuSEfirewall) got a hardware gateway in front > of it now which blocks traffic from outside. So there is no need anymore > to do extensive filtering and also masquerading on the old gateway while > it's still there as kind of second stage hiding the internal network > behind it. > Now I still need to control which traffic is allowed from the inside to > the internet which was done via FW_MASQ_NETS in SF2. > Since I want to get rid of a second masquerading, SuSEfirewall has no > mechanism to control this traffic anymore. > > Now I could write all iptables rules on my own (which is possible but > I'm kind of lazy in that case) but I wonder if there is no other simple > iptables "generator" outside which does it already. > > I plan to look at shorewall but thought I'd just ask here for > recommendations. Also try Firewall Builder at http://www.fwbuilder.org/ Since the v2.1.12 version, is able to import your existing iptables configurations, witch is a nice thing to upgrade your existing machines as well. Also has an excellent GUI. > > Thanks, > Wolfgang -- Rui Santos http://www.ruisantos.com/ Veni, vidi, Linux! -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [opensuse] simple firewall scripts
Rui Santos wrote: > Also try Firewall Builder at http://www.fwbuilder.org/ > Since the v2.1.12 version, is able to import your existing iptables > configurations, witch is a nice thing to upgrade your existing machines > as well. Also has an excellent GUI. > Good to hear that - that was the one thing that turned me off to fwbuilder - if it can now import existing iptables configs, that removes it from the category of "non-starter" for me. Joe -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [opensuse] simple firewall scripts
Sloan wrote: > Theo v. Werkhoven wrote: >> Fri, 27 Jul 2007, by [EMAIL PROTECTED]: >> >> >>> I plan to look at shorewall but thought I'd just ask here for >>> recommendations. >>> >> Look no further. >> > > I personally prefer the basic linux firewall module that comes with > webmin. I found it very easy to understand, and easier to implement > exactly the rules I wanted than with the suse firewall. > > YMMV > > Joe Have yu looked at firestarter? -- Joseph Loo [EMAIL PROTECTED] -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [opensuse] simple firewall scripts
Joseph Loo wrote: > Sloan wrote: >> Theo v. Werkhoven wrote: >>> Fri, 27 Jul 2007, by [EMAIL PROTECTED]: >>> >>> I plan to look at shorewall but thought I'd just ask here for recommendations. >>> Look no further. >>> >> I personally prefer the basic linux firewall module that comes with >> webmin. I found it very easy to understand, and easier to implement >> exactly the rules I wanted than with the suse firewall. >> >> YMMV >> >> Joe > Have yu looked at firestarter? I remember looking at it a few years ago - maybe time to revisit it. Do you have good experiences with it? Joe -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [opensuse] simple firewall scripts
On Friday 27 July 2007 13:29:56 Wolfgang Rosenauer wrote: > Now I still need to control which traffic is allowed from the inside to > the internet which was done via FW_MASQ_NETS in SF2. > Since I want to get rid of a second masquerading, SuSEfirewall has no > mechanism to control this traffic anymore. How about FW_FORWARD, which controls which IP addresses or subnets are allowed through, without any masquerading being done Grüß Anders -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [opensuse] simple firewall scripts
Fri, 27 Jul 2007, by [EMAIL PROTECTED]: > Sloan wrote: > > Theo v. Werkhoven wrote: > >> Fri, 27 Jul 2007, by [EMAIL PROTECTED]: > >> > >> > >>> I plan to look at shorewall but thought I'd just ask here for > >>> recommendations. > >>> > >> Look no further. > >> > > > > I personally prefer the basic linux firewall module that comes with > > webmin. I found it very easy to understand, and easier to implement > > exactly the rules I wanted than with the suse firewall. > > > > YMMV > > > > Joe > Have yu looked at firestarter? Yes, and I don't like GUIs for such basic funcionality. First of all I'm almost always login in through ssh to the server that's running the firewall, so that makes a frontend with text-files much easier to use. Second; seeing all the rules in one page, exactly as they are going to be installed is the only way to make sure the frontend does what I mean, not what a program with fuzzy controls thinks I mean. Theo -- Theo v. WerkhovenRegistered Linux user# 99872 http://counter.li.org ICBM 52 13 26N , 4 29 47E. + ICQ: 277217131 SUSE 10.2 + Jabber: [EMAIL PROTECTED] Kernel 2.6.20 + See headers for PGP/GPG info. Claimer: any email I receive will become my property. Disclaimers do not apply. -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [opensuse] simple firewall scripts
Hi Anders, Anders Johansson wrote: > On Friday 27 July 2007 13:29:56 Wolfgang Rosenauer wrote: >> Now I still need to control which traffic is allowed from the inside to >> the internet which was done via FW_MASQ_NETS in SF2. >> Since I want to get rid of a second masquerading, SuSEfirewall has no >> mechanism to control this traffic anymore. > > How about FW_FORWARD, which controls which IP addresses or subnets are > allowed > through, without any masquerading being done Hmm, somehow I missed this because I've read the sentence "Which services accessed from the internet should be allowed to the # dmz (or internal network - if it is not masqueraded)?" So I always thought it would only work from FW_DEV_EXT to the other interfaces and not the other way round without looking deeper into it. But in fact it seems to be independent from the actual devices. Thanks for the heads up, Wolfgang -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [opensuse] simple firewall scripts
On Friday 27 July 2007 23:14, Theo v. Werkhoven wrote: > Fri, 27 Jul 2007, by [EMAIL PROTECTED]: > > I plan to look at shorewall but thought I'd just ask here for > > recommendations. > > Look no further. That's worrying. Simple firewall script(s)? How about etc/sysconfig/SuSEfirewall2? It's there and it just works. Yast edits it for you if you want pure simplicity. Please tell me that this script is rubbish and I should look elsewhere. Or else please tell me what I'm missing. Cheers, Lynn. -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [opensuse] simple firewall scripts
Sat, 28 Jul 2007, by [EMAIL PROTECTED]: > On Friday 27 July 2007 23:14, Theo v. Werkhoven wrote: > > Fri, 27 Jul 2007, by [EMAIL PROTECTED]: > > > I plan to look at shorewall but thought I'd just ask here for > > > recommendations. > > > > Look no further. > > That's worrying. > > Simple firewall script(s)? How about etc/sysconfig/SuSEfirewall2? It's there > and it just works. Yast edits it for you if you want pure simplicity. Maybe it's just me, but I don't find the way SuSEFW2 does things simple at all. For a 'set and forget' network it probably works, but for a network with rules that are subject to change weekly, if not daily, this file is just too unreadable, because of all the comments lines that clutter the content. The small, less than 1 page, files in Shorewall have man-pages, so if I'm puzzled, I do '^Z; man shorewall-<..>; q; fg' and carry on. > Please tell me that this script is rubbish and I should look elsewhere. Or > else please tell me what I'm missing. It's not rubbish, but it does have serious limitations, at least, for me. Theo -- Theo v. WerkhovenRegistered Linux user# 99872 http://counter.li.org ICBM 52 13 26N , 4 29 47E. + ICQ: 277217131 SUSE 10.2 + Jabber: [EMAIL PROTECTED] Kernel 2.6.20 + See headers for PGP/GPG info. Claimer: any email I receive will become my property. Disclaimers do not apply. -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [opensuse] simple firewall scripts
On 07/29/2007 06:14 AM, Theo v. Werkhoven wrote: > Maybe it's just me, but I don't find the way SuSEFW2 does things > simple at all. > For a 'set and forget' network it probably works, but for a network > with rules that are subject to change weekly, if not daily, this file > is just too unreadable, because of all the comments lines that > clutter the content. > We are all different. Those comments are one of the main reasons I was able to get it working when I first started with 6.4. The docs, etc were less than helpful, but the comments in the config file were (are) fantastic, and for me explain each setting in a way that I was and am able to work with it. To see you call those clutter shows me how different we all are. -- Joe Morris Registered Linux user 231871 running openSUSE 10.2 x86_64 -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [opensuse] simple firewall scripts
joe wrote: > > Joseph Loo wrote: >> Sloan wrote: >>> Theo v. Werkhoven wrote: Fri, 27 Jul 2007, by [EMAIL PROTECTED]: > I plan to look at shorewall but thought I'd just ask here for > recommendations. > Look no further. >>> I personally prefer the basic linux firewall module that comes with >>> webmin. I found it very easy to understand, and easier to implement >>> exactly the rules I wanted than with the suse firewall. >>> >>> YMMV >>> >>> Joe >> Have yu looked at firestarter? > > I remember looking at it a few years ago - maybe time to revisit it. Do you > have good experiences with it? > > Joe Instead of writing the rules manually, this was the only way I could get fedora 7 to do an nfs share. -- Joseph Loo [EMAIL PROTECTED] -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [opensuse] simple firewall scripts
Sun, 29 Jul 2007, by [EMAIL PROTECTED]: > On 07/29/2007 06:14 AM, Theo v. Werkhoven wrote: > > Maybe it's just me, but I don't find the way SuSEFW2 does things > > simple at all. > > For a 'set and forget' network it probably works, but for a network > > with rules that are subject to change weekly, if not daily, this file > > is just too unreadable, because of all the comments lines that > > clutter the content. > > > We are all different. Those comments are one of the main reasons I was > able to get it working when I first started with 6.4. The docs, etc > were less than helpful, but the comments in the config file were (are) > fantastic, and for me explain each setting in a way that I was and am > able to work with it. To see you call those clutter shows me how > different we all are. To each his own, or, as the French say: Vive la Différence Theo -- Theo v. WerkhovenRegistered Linux user# 99872 http://counter.li.org ICBM 52 13 26N , 4 29 47E. + ICQ: 277217131 SUSE 10.2 + Jabber: [EMAIL PROTECTED] Kernel 2.6.20 + See headers for PGP/GPG info. Claimer: any email I receive will become my property. Disclaimers do not apply. -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [opensuse] simple firewall scripts
On 07/28/2007 04:14 PM, Theo v. Werkhoven wrote: > Sat, 28 Jul 2007, by [EMAIL PROTECTED]: > >> Please tell me that this script is rubbish and I should look elsewhere. Or >> else please tell me what I'm missing. >> > > It's not rubbish, but it does have serious limitations, at least, > for me. > Quite true. SFW2 is a nice generic firewall that can fill many basic needs, but that is also its greatest drawback: it is designed to fulfil a great many basic needs, and so is not nearly as flexible as is needed in a more complex situation. Most opensuse users can probably do all the firewalling they need with SFW2, but more serious requirements demand a more serious and flexible firewall builder. -- Hypocrisy is the homage vice pays to virtue. -- François de La Rochefoucauld -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]