Re: [SNF] Re: [Cooker] Re: [SNF] SNF in 8.2 cooker.

2002-03-08 Thread Florin 

Randy Welch [EMAIL PROTECTED] writes:

 I suspect I didnt' do someting quite right then...  ( eth0 is LAN for me
 and eth1 is WAN ).
 
  any masquerade setup ?
 
 Yep.  Here is my masq file:

 #interface  subnet  address
 eth0:0.0.0.0/0  192.168.200.1/24
 #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

your line should be like the following :

_e_t_h_1:0.0.0.0/0  192.168.200._0/24

note here the TWO modifications to your file :

1. the interface is the WAN interface. In the masquerade field you specify
the interface THROUGH WICH the traffic is masqueraded and not from wich
interface this should be masqueraded.

That means, in a way, that all the traffic out through eth1 (your WAN
interface) and comming from the 192.168.200.0/24 network will appear as
from the firewall because you're using private IP addresses for your lan
and, say a public web server, doesn't know your private address. It
responds therefore to your firewall and then the firewall will resend the
information back to the pc that required that information in the first
place.

2. the network address is 192.168.200.0/24, a C class network that allows
   you to use 255 IP addresses from 192.168.200.1 to 192.168.200.255

hope this helps,
-- 
Florin  http://www.mandrakesoft.com

Re: [SNF] Re: [Cooker] Re: [SNF] SNF in 8.2 cooker.

2002-03-07 Thread Florin 

Randy Welch [EMAIL PROTECTED] writes:

Hello again,
 
 Does dan's guardian allow for time restrictions like squidGuard?  I don't
 want to lose that functionality.
 

You can run SquidGuard and DansGuardian in the same time and keep the Time
restriction feature.

  any ideas are welcome ...

 In the firewall section it would be nice to have a easy/basic/quick setup
 that did the following:
 
 1.  Setup NAT
 
 2.  Perform necessary setup to allow the following services:
  http/https/pop3/smtp/dns/squid ( maybe nntp/ftp/imap )
  *without any further intervention from the user*.

Ok, this is a good and useful idea. I'll open all the
http/https/pop3/smtp/ssh/nntp/ftp/imap/dns traffic as default from the lan
to wan so people can use the firewall directly without adding these rules. 

 
 With what is currently in 8.2 I suspect you are closer SuSE's firewall
 product, read the quote from the UnixReview article on fire walls about
 their product:
 
  The setup program is GUI-based, but you still need to understand how to
 
  configure a firewall. If you don't know a DMZ from an ACL,
 
  you'll be totally lost with this product
 
 
 I think the new snf is going that way.
 

Well, this firewall now supports several DMZs. This is why I think that
allowing as default all the above services from lan to wan is a good idea
so people that will NOT use a DMZ can use it right away.

 
 4.  With the configuration ( which I'm not sure I've done right.. ) the
  only way to surf the web is through squid.
  Oh no, When you activate squid, this will add the right rules (you can
  verify that). If you only want to surf the web, you should eventually
  masquerade your private network and authorize the http (or www)
  traffic from lan to wan, add a new iptable rule that is.
  It's normal and intuitif, I think.
 
 
 
 I'll have to think about that.  I could not surf without squid last night
 though.
 
Well, it works like a chram here. If you explain your network
configuration with the eventual private IP ranges used, I could help.

in two steps, as I said do the following:

If your eth1 card is the interface associated to the wan zone and eth0 is
the one associated to the lan zone --- You'll have to do that in the
network configuration because all the NIC interfaces are in the lan zone
at the beginning and your private network is 192.168.1.0/24 masquerade
that network through the eth1 interface (eth1, the wan interface).

Then add an ACCEPT rule allowing the http traffic from lan to wan.

easy, huh ? 
 
 
 Yes it is the caching name server provided by the firewall.   I would
 recommend that you add the rule automatically when activating the caching
 name server.

Ok, I've added that on the cvs.

 
 
 Agreed, however ease of use has been mandrake's hallmark. For the SOHO
 market the functionalty as it was in 7.2 got you up and going in no time.
 I don't think that should be lost in the ability to support larger
 enterprises.
 
 The ability to tweak the config from the gui is certainly more fine
 grained than 7.2 ( Yes I tweaked my Bastille based configs by hand ).  And
 looks quite interesting too.  Don't change that, but don't lose the
 positive out of box experience for the newbie/basic user that 7.2 had.
 

Allowing all the above traffic as default should do the thing :o)

thank you for your message,
-- 
Florin  http://www.mandrakesoft.com

Re: [SNF] Re: [Cooker] Re: [SNF] SNF in 8.2 cooker.

2002-03-07 Thread Randy Welch 



Florin wrote:

 Randy Welch [EMAIL PROTECTED] writes:
 
 Hello again,
  
 
Does dan's guardian allow for time restrictions like squidGuard?  I don't
want to lose that functionality.


 
 You can run SquidGuard and DansGuardian in the same time and keep the Time
 restriction feature.
 


In order to enable both do you have to select SquidGuard for 
banner filtering and DansGuardin for content like you 
currently have to do?



In the firewall section it would be nice to have a easy/basic/quick setup
that did the following:

1.  Setup NAT

2.  Perform necessary setup to allow the following services:
 http/https/pop3/smtp/dns/squid ( maybe nntp/ftp/imap )
 *without any further intervention from the user*.

 
 Ok, this is a good and useful idea. I'll open all the
 http/https/pop3/smtp/ssh/nntp/ftp/imap/dns traffic as default from the lan
 to wan so people can use the firewall directly without adding these rules. 
 


This is great news!  I think that this will allow the basic 
user to get up and running with Mandrake's ease of use and 
still leave all the functionality required for the more 
complex environments.  Are these changes in your download 
area yet?




  
 Well, it works like a chram here. If you explain your network
 configuration with the eventual private IP ranges used, I could help.
 
 in two steps, as I said do the following:
 
 If your eth1 card is the interface associated to the wan zone and eth0 is
 the one associated to the lan zone --- You'll have to do that in the
 network configuration because all the NIC interfaces are in the lan zone
 at the beginning and your private network is 192.168.1.0/24 masquerade
 that network through the eth1 interface (eth1, the wan interface).
 
 Then add an ACCEPT rule allowing the http traffic from lan to wan.
 


I suspect I didnt' do someting quite right then...  ( eth0 
is LAN for me and eth1 is WAN ).



 
 thank you for your message,
 


Glad that I can be of assistance.

-randy

Re: [SNF] Re: [Cooker] Re: [SNF] SNF in 8.2 cooker.

2002-03-07 Thread Randy Welch 



Florin wrote:


 
This is great news!  I think that this will allow the basic user to get up
and running with Mandrake's ease of use and still leave all the
functionality required for the more complex environments.  Are these
changes in your download area yet?


 
 Not yet but they will be definitely be there tomorrow  ... :o)

 

I'll pull them this weekend!


 
 

I suspect I didnt' do someting quite right then...  ( eth0 is LAN for me
and eth1 is WAN ).

 
 any masquerade setup ? 
 

Yep.  Here is my masq file:

#-
# DO NOT MODIFY THIS FILE! It is updated automatically
# by the naat/backend. Modify the template file instead
# in /usr/share/naat/templates/etc/shorewall
#-
#
# Copyright (C) 2002 Mandrakesoft
# Author Florin Grad
#
#-
# Shorewall 1.2.5 /etc/shorewall/masq


#interface  subnet  address
eth0:0.0.0.0/0  192.168.200.1/24
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

Though I suspect my errors is my subnet address..
should be 192.168.200.0/24

-randy

Re: [Cooker] Re: [SNF] SNF in 8.2 cooker.

2002-03-06 Thread Florin 

[EMAIL PROTECTED] (Randy Welch) writes:

  
  Hi there,
  
  what do you mean it gets stuck ? Of course, retreiving the infos will take
  some time ... patcience, Luke :)
 
 
 It never comes back.  Netscape times out on the connection 
 waiting for the script to finish.  I've even run the perl 
 script that goes looking for the interfaces by hand and it 
 remains quiet.
 
 
  
  you can eventually display in the same time on the firewall console the
  logs with tail -f /var/log/httpd-naat/httpd-naat.error_log
  
 
 
 I will try that when I get home.  Is the symlink for 
 httpd-naat fixed yet?
 
 One other item.  For some reason the restricted site 
 functionality in squid ( ~8.2 beta2, prior to the shorewall 
 change ) doesn't seem to be working
 
 -randy

as I said in my previous mails use the cvs or the latest packages at
http://people.mandrakesoft.com/~florin/www/rpms

cheers,
-- 
Florin  http://www.mandrakesoft.com

Re: [SNF] Re: [Cooker] Re: [SNF] SNF in 8.2 cooker.

2002-03-06 Thread Florin 

Randy Welch [EMAIL PROTECTED] writes:
 
 Ok after updating to the latest cooker, I reinstalled my firewall with the
 latest and greatest and I was able to actually go through the
 configuration!  Yippee!
 
 However I have a few ocmments about the new SNF...
 1.  It would be nice when doing the setup it could fetch the time
 configuration and default route from the network config during setup.

Hello again,

for the time configuration, this is feasable.
I'm not sure about the default route configuration, though. 
Keep in mind that only the network configuration is updated (for the NIC
cards, not DSP, RNIS, modem, etc) 

Say you have an active internet connection with a default route set by
your ISP ... The update of such a default gateway will give strange
results for NIC cards if your using another device for your internet
configuration ...

 2.  When setting up the web proxy you are asked to select what you want
 for filtering ( DansGuardian or nothing ) however in order to set things
 up like time limits you really do have to select squidGuard  for at least
 banner filtering.  I do *like/want* the time restriction provision to be
 there by default.  (If one leaves DansGuard selected how do you configure
 it).

right enough ... you could check the latest packages at
people.mandrakesoft.com/~florin/www/rpms but indeed, I have some problems
with the dansguardian restart service. It simply doesn't want to restart
using a script and it does restart by hand ... I'll have a closer look on that.
 
 3.  The configuration of the actual firewall is not geared towards your
 usual user.  I know mandrake prides themselves on the ease of use factor,
 which even applied to SNF.  You didn't need to be a network admin to
 setup.  The 8.2 one I think you do.

The latest version is using a DMZ so, it has to be more advanced in some
sort of way as you have much more configuration possibilities.

But you still can use the Add simple rules menu and use the predefined
list of services like in the old days (old version, sorry :o)

 It is neither intutive or easy.  The old 7.2 based SNF was fairly easy to
 configure for basic usage.  You could just select the services you wanted
 to use by selecting the services you wanted to go through all at once,
 instead of picking each service one at a time.
 
 This needs work in order to appeal to linux newbies or those who really
 really don't want to be firewall gods.

any ideas are welcome ...

 4.  With the configuration ( which I'm not sure I've done right.. ) the
 only way to surf the web is through squid. 

Oh no, When you activate squid, this will add the right rules (you can
verify that). If you only want to surf the web, you should eventually
masquerade your private network and authorize the http (or www)
traffic from lan to wan, add a new iptable rule that is.

It's normal and intuitif, I think.

 I can't talk to my caching
 name server and I get rejection packets when I try to access a web address
 via ip address. ( nothing in the log though...) 

same thing here, what caching name server are we talking about, the one
used by the firewall ? In that case, you should authorize the 53 port from 
lan to fw (yes add another rule) or should I add this automatically when 
activating the Caching name server maybe ?

One comment though:
The major difference between the old version and the new one is its
complexity in terms number of allowed servers, (DMZ, etc). 
In the 7.2 version the adding rules were chewed so that anyone can use it
because there were only two sides (office and the internet). With the
latest version, you can have an unlimited number of zones ... so, in order
to make a service available (say a web server) you need two steps instead
of one: 
- activate a service in a zone, say an apache (web) server and then 
- add the right iptables rule to allow the corresponding traffic

cheers,
-- 
Florin  http://www.mandrakesoft.com

Re: [SNF] Re: [Cooker] Re: [SNF] SNF in 8.2 cooker.

2002-03-06 Thread Randy Welch 



Florin wrote:

 Randy Welch [EMAIL PROTECTED] writes:
  
 
Ok after updating to the latest cooker, I reinstalled my firewall with the
latest and greatest and I was able to actually go through the
configuration!  Yippee!

However I have a few ocmments about the new SNF...
1.  It would be nice when doing the setup it could fetch the time
configuration and default route from the network config during setup.

 
 Hello again,
 
 for the time configuration, this is feasable.
 I'm not sure about the default route configuration, though. 
 Keep in mind that only the network configuration is updated (for the NIC
 cards, not DSP, RNIS, modem, etc) 
 
 Say you have an active internet connection with a default route set by
 your ISP ... The update of such a default gateway will give strange
 results for NIC cards if your using another device for your internet
 configuration ...
 


True.  I thought about that this morning and I agree with 
you here.


 
2.  When setting up the web proxy you are asked to select what you want
for filtering ( DansGuardian or nothing ) however in order to set things
up like time limits you really do have to select squidGuard  for at least
banner filtering.  I do *like/want* the time restriction provision to be
there by default.  (If one leaves DansGuard selected how do you configure
it).

 
 right enough ... you could check the latest packages at
 people.mandrakesoft.com/~florin/www/rpms but indeed, I have some problems
 with the dansguardian restart service. It simply doesn't want to restart
 using a script and it does restart by hand ... I'll have a closer look on that.
  


Does dan's guardian allow for time restrictions like 
squidGuard?  I don't want to lose that functionality.


 
3.  The configuration of the actual firewall is not geared towards your
usual user.  I know mandrake prides themselves on the ease of use factor,
which even applied to SNF.  You didn't need to be a network admin to
setup.  The 8.2 one I think you do.

 
 The latest version is using a DMZ so, it has to be more advanced in some
 sort of way as you have much more configuration possibilities.
 
 But you still can use the Add simple rules menu and use the predefined
 list of services like in the old days (old version, sorry :o)
 
 
It is neither intutive or easy.  The old 7.2 based SNF was fairly easy to
configure for basic usage.  You could just select the services you wanted
to use by selecting the services you wanted to go through all at once,
instead of picking each service one at a time.

This needs work in order to appeal to linux newbies or those who really
really don't want to be firewall gods.

 
 any ideas are welcome ...
 



In the firewall section it would be nice to have a 
easy/basic/quick setup that did the following:

1.  Setup NAT

2.  Perform necessary setup to allow the following services:
 http/https/pop3/smtp/dns/squid ( maybe nntp/ftp/imap )
 *without any further intervention from the user*.

I think with this you can give the new user up and going 
without a user having to know a whole lot about the in's and 
outs of firewalls.  The whole firewall section could use 
some really clear documentation while you are doing the 
configuration so one can have a good idea as to what one is 
supposed to do.


With what is currently in 8.2 I suspect you are closer 
SuSE's firewall product, read the quote from the UnixReview 
article on fire walls about their product:

 The setup program is GUI-based, but you still need to understand how to 

 configure a firewall. If you don't know a DMZ from an ACL, 

 you'll be totally lost with this product


I think the new snf is going that way.


 
4.  With the configuration ( which I'm not sure I've done right.. ) the
only way to surf the web is through squid. 

 
 Oh no, When you activate squid, this will add the right rules (you can
 verify that). If you only want to surf the web, you should eventually
 masquerade your private network and authorize the http (or www)
 traffic from lan to wan, add a new iptable rule that is.
 
 It's normal and intuitif, I think.



I'll have to think about that.  I could not surf without 
squid last night though.


 
 
I can't talk to my caching
name server and I get rejection packets when I try to access a web address
via ip address. ( nothing in the log though...) 

 
 same thing here, what caching name server are we talking about, the one
 used by the firewall ? In that case, you should authorize the 53 port from 
 lan to fw (yes add another rule) or should I add this automatically when 
 activating the Caching name server maybe ?
 


Yes it is the caching name server provided by the firewall. 
I would recommend that you add the rule automatically 
when activating the caching name server.


 One comment though:
 The major difference between the old version and the new one is its
 complexity in terms number of allowed servers, (DMZ, etc). 
 In the 7.2 version the adding rules were chewed so that anyone

[Cooker] Re: [SNF] SNF in 8.2 cooker.

2002-03-05 Thread Florin 

Randy Welch [EMAIL PROTECTED] writes:

 Has anyone had any success with it?
 
 It get's stuck on my system doing the initial configuration, ie.  in
 retreiving the network and other information from the install.
 
 I'd be happy to tweak it by hand ( got to figure out what/where it's
 looking for and putting this information.)
 
 Any word on when the follow on product will be available?
 
 Thanks.

Hi there,

what do you mean it gets stuck ? Of course, retreiving the infos will take
some time ... patcience, Luke :)

you can eventually display in the same time on the firewall console the
logs with tail -f /var/log/httpd-naat/httpd-naat.error_log

cheers,
-- 
Florin  http://www.mandrakesoft.com

Re: [Cooker] Re: [SNF] SNF in 8.2 cooker.

2002-03-05 Thread Randy Welch 


 
 Hi there,
 
 what do you mean it gets stuck ? Of course, retreiving the infos will take
 some time  patcience, Luke :)


It never comes back  Netscape times out on the connection 
waiting for the script to finish  I've even run the perl 
script that goes looking for the interfaces by hand and it 
remains quiet


 
 you can eventually display in the same time on the firewall console the
 logs with tail -f /var/log/httpd-naat/httpd-naaterror_log
 


I will try that when I get home  Is the symlink for 
httpd-naat fixed yet?

One other item  For some reason the restricted site 
functionality in squid ( ~82 beta2, prior to the shorewall 
change ) doesn't seem to be working

-randy

Re: [Cooker] Re: [SNF] SNF in 8.2 cooker.

2002-03-05 Thread Randy Welch 



Florin wrote:

 Randy Welch [EMAIL PROTECTED] writes:
 
 
Has anyone had any success with it?

It get's stuck on my system doing the initial configuration, ie.  in
retreiving the network and other information from the install.

I'd be happy to tweak it by hand ( got to figure out what/where it's
looking for and putting this information.)

Any word on when the follow on product will be available?

Thanks.

 
 Hi there,
 
 what do you mean it gets stuck ? Of course, retreiving the infos will take
 some time ... patcience, Luke :)
 
 you can eventually display in the same time on the firewall console the
 logs with tail -f /var/log/httpd-naat/httpd-naat.error_log
 


Ok after updating to the latest cooker, I reinstalled my 
firewall with the latest and greatest and I was able to 
actually go through the configuration!  Yippee!

However I have a few ocmments about the new SNF...
1.  It would be nice when doing the setup it could fetch the 
time configuration and default route from the network config 
during setup.

2.  When setting up the web proxy you are asked to select 
what you want for filtering ( DansGuardian or nothing ) 
however in order to set things up like time limits you 
really do have to select squidGuard  for at least banner 
filtering.  I do *like/want* the time restriction provision 
to be there by default.  (If one leaves DansGuard selected 
how do you configure it).

3.  The configuration of the actual firewall is not geared 
towards your usual user.  I know mandrake prides themselves 
on the ease of use factor, which even applied to SNF.  You 
didn't need to be a network admin to setup.  The 8.2 one I 
think you do.

It is neither intutive or easy.  The old 7.2 based SNF was 
fairly easy to configure for basic usage.  You could just 
select the services you wanted to use by selecting the 
services you wanted to go through all at once, instead of 
picking each service one at a time.

This needs work in order to appeal to linux newbies or those 
who really really don't want to be firewall gods.

4.  With the configuration ( which I'm not sure I've done 
right.. ) the only way to surf the web is through squid.  I 
can't talk to my caching name server and I get rejection 
packets when I try to access a web address via ip address. ( 
nothing in the log though...)

-randy