Re: [SNF] Re: [Cooker] Re: [SNF] SNF in 8.2 cooker.
Randy Welch <[EMAIL PROTECTED]> writes: > >>I suspect I didnt' do someting quite right then... ( eth0 is LAN for me > >>and eth1 is WAN ). > >> > > any masquerade setup ? > > Yep. Here is my masq file: > #interface subnet address > eth0:0.0.0.0/0 192.168.200.1/24 > #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE your line should be like the following : _e_t_h_1:0.0.0.0/0 192.168.200._0/24 note here the TWO modifications to your file : 1. the interface is the WAN interface. In the masquerade field you specify the interface THROUGH WICH the traffic is masqueraded and not from wich interface this should be masqueraded. That means, in a way, that all the traffic out through eth1 (your WAN interface) and comming from the 192.168.200.0/24 network will appear as from the firewall because you're using private IP addresses for your lan and, say a public web server, doesn't know your private address. It responds therefore to your firewall and then the firewall will resend the information back to the pc that required that information in the first place. 2. the network address is 192.168.200.0/24, a C class network that allows you to use 255 IP addresses from 192.168.200.1 to 192.168.200.255 hope this helps, -- Florin http://www.mandrakesoft.com
Re: [SNF] Re: [Cooker] Re: [SNF] SNF in 8.2 cooker.
Florin wrote: > >>This is great news! I think that this will allow the basic user to get up >>and running with Mandrake's ease of use and still leave all the >>functionality required for the more complex environments. Are these >>changes in your download area yet? >> >> > > Not yet but they will be definitely be there tomorrow ... :o) > I'll pull them this weekend! > > >> >>I suspect I didnt' do someting quite right then... ( eth0 is LAN for me >>and eth1 is WAN ). >> > > any masquerade setup ? > Yep. Here is my masq file: #- # DO NOT MODIFY THIS FILE! It is updated automatically # by the naat/backend. Modify the template file instead # in /usr/share/naat/templates/etc/shorewall #- # # Copyright (C) 2002 Mandrakesoft # Author Florin Grad # #- # Shorewall 1.2.5 /etc/shorewall/masq #interface subnet address eth0:0.0.0.0/0 192.168.200.1/24 #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE Though I suspect my errors is my subnet address.. should be 192.168.200.0/24 -randy
Re: [SNF] Re: [Cooker] Re: [SNF] SNF in 8.2 cooker.
Florin wrote: > Randy Welch <[EMAIL PROTECTED]> writes: > > Hello again, > > >>Does dan's guardian allow for time restrictions like squidGuard? I don't >>want to lose that functionality. >> >> > > You can run SquidGuard and DansGuardian in the same time and keep the Time > restriction feature. > In order to enable both do you have to select SquidGuard for banner filtering and DansGuardin for content like you currently have to do? >>In the firewall section it would be nice to have a easy/basic/quick setup >>that did the following: >> >>1. Setup NAT >> >>2. Perform necessary setup to allow the following services: >> http/https/pop3/smtp/dns/squid ( maybe nntp/ftp/imap ) >> *without any further intervention from the user*. >> > > Ok, this is a good and useful idea. I'll open all the > http/https/pop3/smtp/ssh/nntp/ftp/imap/dns traffic as default from the lan > to wan so people can use the firewall directly without adding these rules. > This is great news! I think that this will allow the basic user to get up and running with Mandrake's ease of use and still leave all the functionality required for the more complex environments. Are these changes in your download area yet? > > Well, it works like a chram here. If you explain your network > configuration with the eventual private IP ranges used, I could help. > > in two steps, as I said do the following: > > If your eth1 card is the interface associated to the wan zone and eth0 is > the one associated to the lan zone --- You'll have to do that in the > network configuration because all the NIC interfaces are in the lan zone > at the beginning and your private network is 192.168.1.0/24 masquerade > that network through the eth1 interface (eth1, the wan interface). > > Then add an ACCEPT rule allowing the http traffic from lan to wan. > I suspect I didnt' do someting quite right then... ( eth0 is LAN for me and eth1 is WAN ). > > thank you for your message, > Glad that I can be of assistance. -randy
Re: [SNF] Re: [Cooker] Re: [SNF] SNF in 8.2 cooker.
Randy Welch <[EMAIL PROTECTED]> writes: Hello again, > Does dan's guardian allow for time restrictions like squidGuard? I don't > want to lose that functionality. > You can run SquidGuard and DansGuardian in the same time and keep the Time restriction feature. > > any ideas are welcome ... > In the firewall section it would be nice to have a easy/basic/quick setup > that did the following: > > 1. Setup NAT > > 2. Perform necessary setup to allow the following services: > http/https/pop3/smtp/dns/squid ( maybe nntp/ftp/imap ) > *without any further intervention from the user*. Ok, this is a good and useful idea. I'll open all the http/https/pop3/smtp/ssh/nntp/ftp/imap/dns traffic as default from the lan to wan so people can use the firewall directly without adding these rules. > > With what is currently in 8.2 I suspect you are closer SuSE's firewall > product, read the quote from the UnixReview article on fire walls about > their product: > > > The setup program is GUI-based, but you still need to understand how to > > > configure a firewall. If you don't know a DMZ from an ACL, > > > you'll be totally lost with this product > > > I think the new snf is going that way. > Well, this firewall now supports several DMZs. This is why I think that allowing as default all the above services from lan to wan is a good idea so people that will NOT use a DMZ can use it right away. > > > >>4. With the configuration ( which I'm not sure I've done right.. ) the > >> only way to surf the web is through squid. > > Oh no, When you activate squid, this will add the right rules (you can > > verify that). If you only want to surf the web, you should eventually > > masquerade your private network and authorize the http (or www) > > traffic from lan to wan, add a new iptable rule that is. > > It's normal and intuitif, I think. > > > > I'll have to think about that. I could not surf without squid last night > though. Well, it works like a chram here. If you explain your network configuration with the eventual private IP ranges used, I could help. in two steps, as I said do the following: If your eth1 card is the interface associated to the wan zone and eth0 is the one associated to the lan zone --- You'll have to do that in the network configuration because all the NIC interfaces are in the lan zone at the beginning and your private network is 192.168.1.0/24 masquerade that network through the eth1 interface (eth1, the wan interface). Then add an ACCEPT rule allowing the http traffic from lan to wan. easy, huh ? > > Yes it is the caching name server provided by the firewall. I would > recommend that you add the rule automatically when activating the caching > name server. Ok, I've added that on the cvs. > > > Agreed, however ease of use has been mandrake's hallmark. For the SOHO > market the functionalty as it was in 7.2 got you up and going in no time. > I don't think that should be lost in the ability to support larger > enterprises. > > The ability to tweak the config from the gui is certainly more fine > grained than 7.2 ( Yes I tweaked my Bastille based configs by hand ). And > looks quite interesting too. Don't change that, but don't lose the > positive out of box experience for the newbie/basic user that 7.2 had. > Allowing all the above traffic as default should do the thing :o) thank you for your message, -- Florin http://www.mandrakesoft.com
Re: [SNF] Re: [Cooker] Re: [SNF] SNF in 8.2 cooker.
Florin wrote: > Randy Welch <[EMAIL PROTECTED]> writes: > > >>Ok after updating to the latest cooker, I reinstalled my firewall with the >>latest and greatest and I was able to actually go through the >>configuration! Yippee! >> >>However I have a few ocmments about the new SNF... >>1. It would be nice when doing the setup it could fetch the time >>configuration and default route from the network config during setup. >> > > Hello again, > > for the time configuration, this is feasable. > I'm not sure about the default route configuration, though. > Keep in mind that only the network configuration is updated (for the NIC > cards, not DSP, RNIS, modem, etc) > > Say you have an active internet connection with a default route set by > your ISP ... The update of such a default gateway will give strange > results for NIC cards if your using another device for your internet > configuration ... > True. I thought about that this morning and I agree with you here. > >>2. When setting up the web proxy you are asked to select what you want >>for filtering ( DansGuardian or nothing ) however in order to set things >>up like time limits you really do have to select squidGuard for at least >>banner filtering. I do *like/want* the time restriction provision to be >>there by default. (If one leaves DansGuard selected how do you configure >>it). >> > > right enough ... you could check the latest packages at > people.mandrakesoft.com/~florin/www/rpms but indeed, I have some problems > with the dansguardian restart service. It simply doesn't want to restart > using a script and it does restart by hand ... I'll have a closer look on that. > Does dan's guardian allow for time restrictions like squidGuard? I don't want to lose that functionality. > >>3. The configuration of the actual firewall is not geared towards your >>usual user. I know mandrake prides themselves on the ease of use factor, >>which even applied to SNF. You didn't need to be a network admin to >>setup. The 8.2 one I think you do. >> > > The latest version is using a DMZ so, it has to be more advanced in some > sort of way as you have much more configuration possibilities. > > But you still can use the "Add simple rules" menu and use the predefined > list of services like in the old days (old version, sorry :o) > > >>It is neither intutive or easy. The old 7.2 based SNF was fairly easy to >>configure for basic usage. You could just select the services you wanted >>to use by selecting the services you wanted to go through all at once, >>instead of picking each service one at a time. >> >>This needs work in order to appeal to linux newbies or those who really >>really don't want to be firewall gods. >> > > any ideas are welcome ... > In the firewall section it would be nice to have a easy/basic/quick setup that did the following: 1. Setup NAT 2. Perform necessary setup to allow the following services: http/https/pop3/smtp/dns/squid ( maybe nntp/ftp/imap ) *without any further intervention from the user*. I think with this you can give the new user up and going without a user having to know a whole lot about the in's and outs of firewalls. The whole firewall section could use some really clear documentation while you are doing the configuration so one can have a good idea as to what one is supposed to do. With what is currently in 8.2 I suspect you are closer SuSE's firewall product, read the quote from the UnixReview article on fire walls about their product: > The setup program is GUI-based, but you still need to understand how to > configure a firewall. If you don't know a DMZ from an ACL, > you'll be totally lost with this product I think the new snf is going that way. > >>4. With the configuration ( which I'm not sure I've done right.. ) the >>only way to surf the web is through squid. >> > > Oh no, When you activate squid, this will add the right rules (you can > verify that). If you only want to surf the web, you should eventually > masquerade your private network and authorize the http (or www) > traffic from lan to wan, add a new iptable rule that is. > > It's normal and intuitif, I think. I'll have to think about that. I could not surf without squid last night though. > > >>I can't talk to my caching >>name server and I get rejection packets when I try to access a web address >>via ip address. ( nothing in the log though...) >> > > same thing here, what caching name server are we talking about, the one > used by the firewall ? In that case, you should authorize the 53 port from > lan to fw (yes add another rule) or should I add this automatically when > activating the Caching name server maybe ? > Yes it is the caching name server provided by the firewall. I would recommend that you add the rule automatically when activating the caching name server. > One comment though: > The major difference between the old version and the new one is i
Re: [SNF] Re: [Cooker] Re: [SNF] SNF in 8.2 cooker.
Randy Welch <[EMAIL PROTECTED]> writes: > Ok after updating to the latest cooker, I reinstalled my firewall with the > latest and greatest and I was able to actually go through the > configuration! Yippee! > > However I have a few ocmments about the new SNF... > 1. It would be nice when doing the setup it could fetch the time > configuration and default route from the network config during setup. Hello again, for the time configuration, this is feasable. I'm not sure about the default route configuration, though. Keep in mind that only the network configuration is updated (for the NIC cards, not DSP, RNIS, modem, etc) Say you have an active internet connection with a default route set by your ISP ... The update of such a default gateway will give strange results for NIC cards if your using another device for your internet configuration ... > 2. When setting up the web proxy you are asked to select what you want > for filtering ( DansGuardian or nothing ) however in order to set things > up like time limits you really do have to select squidGuard for at least > banner filtering. I do *like/want* the time restriction provision to be > there by default. (If one leaves DansGuard selected how do you configure > it). right enough ... you could check the latest packages at people.mandrakesoft.com/~florin/www/rpms but indeed, I have some problems with the dansguardian restart service. It simply doesn't want to restart using a script and it does restart by hand ... I'll have a closer look on that. > 3. The configuration of the actual firewall is not geared towards your > usual user. I know mandrake prides themselves on the ease of use factor, > which even applied to SNF. You didn't need to be a network admin to > setup. The 8.2 one I think you do. The latest version is using a DMZ so, it has to be more advanced in some sort of way as you have much more configuration possibilities. But you still can use the "Add simple rules" menu and use the predefined list of services like in the old days (old version, sorry :o) > It is neither intutive or easy. The old 7.2 based SNF was fairly easy to > configure for basic usage. You could just select the services you wanted > to use by selecting the services you wanted to go through all at once, > instead of picking each service one at a time. > > This needs work in order to appeal to linux newbies or those who really > really don't want to be firewall gods. any ideas are welcome ... > 4. With the configuration ( which I'm not sure I've done right.. ) the > only way to surf the web is through squid. Oh no, When you activate squid, this will add the right rules (you can verify that). If you only want to surf the web, you should eventually masquerade your private network and authorize the http (or www) traffic from lan to wan, add a new iptable rule that is. It's normal and intuitif, I think. > I can't talk to my caching > name server and I get rejection packets when I try to access a web address > via ip address. ( nothing in the log though...) same thing here, what caching name server are we talking about, the one used by the firewall ? In that case, you should authorize the 53 port from lan to fw (yes add another rule) or should I add this automatically when activating the Caching name server maybe ? One comment though: The major difference between the old version and the new one is its complexity in terms number of allowed servers, (DMZ, etc). In the 7.2 version the adding rules were chewed so that anyone can use it because there were only two sides (office and the internet). With the latest version, you can have an unlimited number of zones ... so, in order to make a service available (say a web server) you need two steps instead of one: - activate a service in a zone, say an apache (web) server and then - add the right iptables rule to allow the corresponding traffic cheers, -- Florin http://www.mandrakesoft.com