subject:"\[SNF\] Re\: \[Cooker\] Re\: \[SNF\] SNF in 8.2 cooker."

Re: [SNF] Re: [Cooker] Re: [SNF] SNF in 8.2 cooker.

2002-03-08 Thread Florin

Randy Welch <[EMAIL PROTECTED]> writes:

> >>I suspect I didnt' do someting quite right then...  ( eth0 is LAN for me
> >>and eth1 is WAN ).
> >>
> > any masquerade setup ?
> 
> Yep.  Here is my masq file:

> #interface  subnet  address
> eth0:0.0.0.0/0  192.168.200.1/24
> #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

your line should be like the following :

_e_t_h_1:0.0.0.0/0  192.168.200._0/24

note here the TWO modifications to your file :

1. the interface is the WAN interface. In the masquerade field you specify
the interface THROUGH WICH the traffic is masqueraded and not from wich
interface this should be masqueraded.

That means, in a way, that all the traffic out through eth1 (your WAN
interface) and comming from the 192.168.200.0/24 network will appear as
from the firewall because you're using private IP addresses for your lan
and, say a public web server, doesn't know your private address. It
responds therefore to your firewall and then the firewall will resend the
information back to the pc that required that information in the first
place.

2. the network address is 192.168.200.0/24, a C class network that allows
   you to use 255 IP addresses from 192.168.200.1 to 192.168.200.255

hope this helps,
-- 
Florin  http://www.mandrakesoft.com

Re: [SNF] Re: [Cooker] Re: [SNF] SNF in 8.2 cooker.

2002-03-07 Thread Randy Welch




Florin wrote:


> 
>>This is great news!  I think that this will allow the basic user to get up
>>and running with Mandrake's ease of use and still leave all the
>>functionality required for the more complex environments.  Are these
>>changes in your download area yet?
>>
>>
> 
> Not yet but they will be definitely be there tomorrow  ... :o)

 >

I'll pull them this weekend!


> 
> 
>>
>>I suspect I didnt' do someting quite right then...  ( eth0 is LAN for me
>>and eth1 is WAN ).
>>
> 
> any masquerade setup ? 
> 

Yep.  Here is my masq file:

#-
# DO NOT MODIFY THIS FILE! It is updated automatically
# by the naat/backend. Modify the template file instead
# in /usr/share/naat/templates/etc/shorewall
#-
#
# Copyright (C) 2002 Mandrakesoft
# Author Florin Grad
#
#-
# Shorewall 1.2.5 /etc/shorewall/masq


#interface  subnet  address
eth0:0.0.0.0/0  192.168.200.1/24
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

Though I suspect my errors is my subnet address..
should be 192.168.200.0/24

-randy

Re: [SNF] Re: [Cooker] Re: [SNF] SNF in 8.2 cooker.

2002-03-07 Thread Randy Welch




Florin wrote:

> Randy Welch <[EMAIL PROTECTED]> writes:
> 
> Hello again,
>  
> 
>>Does dan's guardian allow for time restrictions like squidGuard?  I don't
>>want to lose that functionality.
>>
>>
> 
> You can run SquidGuard and DansGuardian in the same time and keep the Time
> restriction feature.
> 


In order to enable both do you have to select SquidGuard for 
banner filtering and DansGuardin for content like you 
currently have to do?



>>In the firewall section it would be nice to have a easy/basic/quick setup
>>that did the following:
>>
>>1.  Setup NAT
>>
>>2.  Perform necessary setup to allow the following services:
>> http/https/pop3/smtp/dns/squid ( maybe nntp/ftp/imap )
>> *without any further intervention from the user*.
>>
> 
> Ok, this is a good and useful idea. I'll open all the
> http/https/pop3/smtp/ssh/nntp/ftp/imap/dns traffic as default from the lan
> to wan so people can use the firewall directly without adding these rules. 
> 


This is great news!  I think that this will allow the basic 
user to get up and running with Mandrake's ease of use and 
still leave all the functionality required for the more 
complex environments.  Are these changes in your download 
area yet?




>  
> Well, it works like a chram here. If you explain your network
> configuration with the eventual private IP ranges used, I could help.
> 
> in two steps, as I said do the following:
> 
> If your eth1 card is the interface associated to the wan zone and eth0 is
> the one associated to the lan zone --- You'll have to do that in the
> network configuration because all the NIC interfaces are in the lan zone
> at the beginning and your private network is 192.168.1.0/24 masquerade
> that network through the eth1 interface (eth1, the wan interface).
> 
> Then add an ACCEPT rule allowing the http traffic from lan to wan.
> 


I suspect I didnt' do someting quite right then...  ( eth0 
is LAN for me and eth1 is WAN ).



> 
> thank you for your message,
> 


Glad that I can be of assistance.

-randy

Re: [SNF] Re: [Cooker] Re: [SNF] SNF in 8.2 cooker.

2002-03-07 Thread Florin

Randy Welch <[EMAIL PROTECTED]> writes:

Hello again,

> Does dan's guardian allow for time restrictions like squidGuard?  I don't
> want to lose that functionality.
> 

You can run SquidGuard and DansGuardian in the same time and keep the Time
restriction feature.

> > any ideas are welcome ...

> In the firewall section it would be nice to have a easy/basic/quick setup
> that did the following:
> 
> 1.  Setup NAT
> 
> 2.  Perform necessary setup to allow the following services:
>  http/https/pop3/smtp/dns/squid ( maybe nntp/ftp/imap )
>  *without any further intervention from the user*.

Ok, this is a good and useful idea. I'll open all the
http/https/pop3/smtp/ssh/nntp/ftp/imap/dns traffic as default from the lan
to wan so people can use the firewall directly without adding these rules. 

> 
> With what is currently in 8.2 I suspect you are closer SuSE's firewall
> product, read the quote from the UnixReview article on fire walls about
> their product:
> 
> > The setup program is GUI-based, but you still need to understand how to
> 
> > configure a firewall. If you don't know a DMZ from an ACL,
> 
> > you'll be totally lost with this product
> 
> 
> I think the new snf is going that way.
> 

Well, this firewall now supports several DMZs. This is why I think that
allowing as default all the above services from lan to wan is a good idea
so people that will NOT use a DMZ can use it right away.

> >
> >>4.  With the configuration ( which I'm not sure I've done right.. ) the
> >> only way to surf the web is through squid.
> > Oh no, When you activate squid, this will add the right rules (you can
> > verify that). If you only want to surf the web, you should eventually
> > masquerade your private network and authorize the http (or www)
> > traffic from lan to wan, add a new iptable rule that is.
> > It's normal and intuitif, I think.
> 
> 
> 
> I'll have to think about that.  I could not surf without squid last night
> though.

Well, it works like a chram here. If you explain your network
configuration with the eventual private IP ranges used, I could help.

in two steps, as I said do the following:

If your eth1 card is the interface associated to the wan zone and eth0 is
the one associated to the lan zone --- You'll have to do that in the
network configuration because all the NIC interfaces are in the lan zone
at the beginning and your private network is 192.168.1.0/24 masquerade
that network through the eth1 interface (eth1, the wan interface).

Then add an ACCEPT rule allowing the http traffic from lan to wan.

easy, huh ? 

> 
> Yes it is the caching name server provided by the firewall.   I would
> recommend that you add the rule automatically when activating the caching
> name server.

Ok, I've added that on the cvs.

> 
> 
> Agreed, however ease of use has been mandrake's hallmark. For the SOHO
> market the functionalty as it was in 7.2 got you up and going in no time.
> I don't think that should be lost in the ability to support larger
> enterprises.
> 
> The ability to tweak the config from the gui is certainly more fine
> grained than 7.2 ( Yes I tweaked my Bastille based configs by hand ).  And
> looks quite interesting too.  Don't change that, but don't lose the
> positive out of box experience for the newbie/basic user that 7.2 had.
> 

Allowing all the above traffic as default should do the thing :o)

thank you for your message,
-- 
Florin  http://www.mandrakesoft.com

Re: [SNF] Re: [Cooker] Re: [SNF] SNF in 8.2 cooker.

2002-03-06 Thread Randy Welch




Florin wrote:

> Randy Welch <[EMAIL PROTECTED]> writes:
>  
> 
>>Ok after updating to the latest cooker, I reinstalled my firewall with the
>>latest and greatest and I was able to actually go through the
>>configuration!  Yippee!
>>
>>However I have a few ocmments about the new SNF...
>>1.  It would be nice when doing the setup it could fetch the time
>>configuration and default route from the network config during setup.
>>
> 
> Hello again,
> 
> for the time configuration, this is feasable.
> I'm not sure about the default route configuration, though. 
> Keep in mind that only the network configuration is updated (for the NIC
> cards, not DSP, RNIS, modem, etc) 
> 
> Say you have an active internet connection with a default route set by
> your ISP ... The update of such a default gateway will give strange
> results for NIC cards if your using another device for your internet
> configuration ...
> 


True.  I thought about that this morning and I agree with 
you here.


> 
>>2.  When setting up the web proxy you are asked to select what you want
>>for filtering ( DansGuardian or nothing ) however in order to set things
>>up like time limits you really do have to select squidGuard  for at least
>>banner filtering.  I do *like/want* the time restriction provision to be
>>there by default.  (If one leaves DansGuard selected how do you configure
>>it).
>>
> 
> right enough ... you could check the latest packages at
> people.mandrakesoft.com/~florin/www/rpms but indeed, I have some problems
> with the dansguardian restart service. It simply doesn't want to restart
> using a script and it does restart by hand ... I'll have a closer look on that.
>  


Does dan's guardian allow for time restrictions like 
squidGuard?  I don't want to lose that functionality.


> 
>>3.  The configuration of the actual firewall is not geared towards your
>>usual user.  I know mandrake prides themselves on the ease of use factor,
>>which even applied to SNF.  You didn't need to be a network admin to
>>setup.  The 8.2 one I think you do.
>>
> 
> The latest version is using a DMZ so, it has to be more advanced in some
> sort of way as you have much more configuration possibilities.
> 
> But you still can use the "Add simple rules" menu and use the predefined
> list of services like in the old days (old version, sorry :o)
> 
> 
>>It is neither intutive or easy.  The old 7.2 based SNF was fairly easy to
>>configure for basic usage.  You could just select the services you wanted
>>to use by selecting the services you wanted to go through all at once,
>>instead of picking each service one at a time.
>>
>>This needs work in order to appeal to linux newbies or those who really
>>really don't want to be firewall gods.
>>
> 
> any ideas are welcome ...
> 



In the firewall section it would be nice to have a 
easy/basic/quick setup that did the following:

1.  Setup NAT

2.  Perform necessary setup to allow the following services:
 http/https/pop3/smtp/dns/squid ( maybe nntp/ftp/imap )
 *without any further intervention from the user*.

I think with this you can give the new user up and going 
without a user having to know a whole lot about the in's and 
outs of firewalls.  The whole firewall section could use 
some really clear documentation while you are doing the 
configuration so one can have a good idea as to what one is 
supposed to do.


With what is currently in 8.2 I suspect you are closer 
SuSE's firewall product, read the quote from the UnixReview 
article on fire walls about their product:

> The setup program is GUI-based, but you still need to understand how to 

> configure a firewall. If you don't know a DMZ from an ACL, 

> you'll be totally lost with this product


I think the new snf is going that way.


> 
>>4.  With the configuration ( which I'm not sure I've done right.. ) the
>>only way to surf the web is through squid. 
>>
> 
> Oh no, When you activate squid, this will add the right rules (you can
> verify that). If you only want to surf the web, you should eventually
> masquerade your private network and authorize the http (or www)
> traffic from lan to wan, add a new iptable rule that is.
> 
> It's normal and intuitif, I think.



I'll have to think about that.  I could not surf without 
squid last night though.


> 
> 
>>I can't talk to my caching
>>name server and I get rejection packets when I try to access a web address
>>via ip address. ( nothing in the log though...) 
>>
> 
> same thing here, what caching name server are we talking about, the one
> used by the firewall ? In that case, you should authorize the 53 port from 
> lan to fw (yes add another rule) or should I add this automatically when 
> activating the Caching name server maybe ?
> 


Yes it is the caching name server provided by the firewall. 
I would recommend that you add the rule automatically 
when activating the caching name server.


> One comment though:
> The major difference between the old version and the new one is i

Re: [SNF] Re: [Cooker] Re: [SNF] SNF in 8.2 cooker.

2002-03-06 Thread Florin

Randy Welch <[EMAIL PROTECTED]> writes:

> Ok after updating to the latest cooker, I reinstalled my firewall with the
> latest and greatest and I was able to actually go through the
> configuration!  Yippee!
> 
> However I have a few ocmments about the new SNF...
> 1.  It would be nice when doing the setup it could fetch the time
> configuration and default route from the network config during setup.

Hello again,

for the time configuration, this is feasable.
I'm not sure about the default route configuration, though. 
Keep in mind that only the network configuration is updated (for the NIC
cards, not DSP, RNIS, modem, etc) 

Say you have an active internet connection with a default route set by
your ISP ... The update of such a default gateway will give strange
results for NIC cards if your using another device for your internet
configuration ...

> 2.  When setting up the web proxy you are asked to select what you want
> for filtering ( DansGuardian or nothing ) however in order to set things
> up like time limits you really do have to select squidGuard  for at least
> banner filtering.  I do *like/want* the time restriction provision to be
> there by default.  (If one leaves DansGuard selected how do you configure
> it).

right enough ... you could check the latest packages at
people.mandrakesoft.com/~florin/www/rpms but indeed, I have some problems
with the dansguardian restart service. It simply doesn't want to restart
using a script and it does restart by hand ... I'll have a closer look on that.

> 3.  The configuration of the actual firewall is not geared towards your
> usual user.  I know mandrake prides themselves on the ease of use factor,
> which even applied to SNF.  You didn't need to be a network admin to
> setup.  The 8.2 one I think you do.

The latest version is using a DMZ so, it has to be more advanced in some
sort of way as you have much more configuration possibilities.

But you still can use the "Add simple rules" menu and use the predefined
list of services like in the old days (old version, sorry :o)

> It is neither intutive or easy.  The old 7.2 based SNF was fairly easy to
> configure for basic usage.  You could just select the services you wanted
> to use by selecting the services you wanted to go through all at once,
> instead of picking each service one at a time.
> 
> This needs work in order to appeal to linux newbies or those who really
> really don't want to be firewall gods.

any ideas are welcome ...

> 4.  With the configuration ( which I'm not sure I've done right.. ) the
> only way to surf the web is through squid. 

Oh no, When you activate squid, this will add the right rules (you can
verify that). If you only want to surf the web, you should eventually
masquerade your private network and authorize the http (or www)
traffic from lan to wan, add a new iptable rule that is.

It's normal and intuitif, I think.

> I can't talk to my caching
> name server and I get rejection packets when I try to access a web address
> via ip address. ( nothing in the log though...) 

same thing here, what caching name server are we talking about, the one
used by the firewall ? In that case, you should authorize the 53 port from 
lan to fw (yes add another rule) or should I add this automatically when 
activating the Caching name server maybe ?

One comment though:
The major difference between the old version and the new one is its
complexity in terms number of allowed servers, (DMZ, etc). 
In the 7.2 version the adding rules were chewed so that anyone can use it
because there were only two sides (office and the internet). With the
latest version, you can have an unlimited number of zones ... so, in order
to make a service available (say a web server) you need two steps instead
of one: 
- activate a service in a zone, say an apache (web) server and then 
- add the right iptables rule to allow the corresponding traffic

cheers,
-- 
Florin  http://www.mandrakesoft.com

Re: [SNF] Re: [Cooker] Re: [SNF] SNF in 8.2 cooker.

Re: [SNF] Re: [Cooker] Re: [SNF] SNF in 8.2 cooker.

Re: [SNF] Re: [Cooker] Re: [SNF] SNF in 8.2 cooker.

Re: [SNF] Re: [Cooker] Re: [SNF] SNF in 8.2 cooker.

Re: [SNF] Re: [Cooker] Re: [SNF] SNF in 8.2 cooker.

Re: [SNF] Re: [Cooker] Re: [SNF] SNF in 8.2 cooker.

6 matches

Site Navigation

Mail list logo

Footer information