Re: firestarter
Hi Paul, I personally haven't use such a program since I know very little about networking stuff. However, I searched the net and found the a wiki page you might be interested in <https://wiki.debian.org/DebianFirewall#Graphic_applications_and_frontends>. The wiki page suggested many Graphic applications and frontends for iptables, such as ferm <https://packages.debian.org/jessie/ferm>, which is available since squeeze. PS: I mistakenly set up auto-reply yesterday, sorry for replying you with an empty email. Cheers, Alex On 30/09/2015, paul wrote: > Thanks for the Info. I'll look for another IP table manager. > I'm always open to suggestions. > > On 09/29/2015 04:55 PM, Alex Vong wrote: >> Hi Paul, >> >> You are lucky not to able to install it! firestarter contained a grave >> bug that will make booting impossible >> <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=772715>. Besides, >> the package was being abandoned by the upstream developers >> <https://packages.qa.debian.org/f/firestarter/news/20130608T012654Z.html>. >> Sorry, but I think you need to find a similar software. >> >> Cheers, >> Alex >> >> On 29/09/2015, paul wrote: >>> Why is this not found? >>> >>> >>> paul@paul-HP-Compaq-dc5750-Small-Form-Factor:~$ sudo apt-get install >>> firestarter >>> [sudo] password for paul: >>> Reading package lists... Done >>> Building dependency tree >>> Reading state information... Done >>> E: Unable to locate package firestarter >>> >>> > >
Re: firestarter
Hi Paul, You are lucky not to able to install it! firestarter contained a grave bug that will make booting impossible <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=772715>. Besides, the package was being abandoned by the upstream developers <https://packages.qa.debian.org/f/firestarter/news/20130608T012654Z.html>. Sorry, but I think you need to find a similar software. Cheers, Alex On 29/09/2015, paul wrote: > Why is this not found? > > > paul@paul-HP-Compaq-dc5750-Small-Form-Factor:~$ sudo apt-get install > firestarter > [sudo] password for paul: > Reading package lists... Done > Building dependency tree > Reading state information... Done > E: Unable to locate package firestarter > >
Re: Firestarter Events always empty
On Sunday 01 December 2013 08:10 PM, Gábor Hársfalvi wrote: > 2013/12/1 Andreas Rönnquist <mailto:mailingli...@gusnan.se>> > > On Sun, 1 Dec 2013 13:31:28 +0100, > Gábor Hársfalvimailto:hgab...@gmail.com>> wrote: > > >Why? > > > >Thanks for all possible answers > > From the Debian description at [1]: > > "Firestarter is no longer developed and is missing some critical > features such as IPv6 support, so users may be advised to look into > more modern alternatives such as gufw." > > To me it looks like (sadly enough) it hasn't had an upstream release > since 2005. [2] > > If I were you, I would look for alternatives. > > [1]: http://packages.debian.org/sid/firestarter > [2]: http://sourceforge.net/projects/firestarter/files/firestarter/ > > -- Andreas Rönnquist > mailingli...@gusnan.se <mailto:mailingli...@gusnan.se> > gus...@gusnan.se <mailto:gus...@gusnan.se> > > > -- > To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org > <mailto:debian-user-requ...@lists.debian.org> > with a subject of "unsubscribe". Trouble? Contact > listmas...@lists.debian.org <mailto:listmas...@lists.debian.org> > Archive: http://lists.debian.org/20131201141424.4a206...@debian.lan > > > > I know its too old - but on other PC-s Firestarter works well with the > same system - Debian Squeeze. > > I just tried gufw too - but its not so good for me - in Firestarter I > like Events tab where I can block/unblock anything very quickly. Is > there any Firewall for Debian like this? I will try that Hi, http://debtags.debian.net/search/?wl=security%3A%3Afirewall%2Crole%3A%3Aprogram&q=firewall&qf=default This shows the list of firewall apps/scripts (with tags) in the debian main repository. I'm sorry, I've only experimented with Firestarter and UFW to date. HTH, Kailash -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/529d59d6.2050...@gmail.com
Re: Firestarter Events always empty
2013/12/1 Andreas Rönnquist > On Sun, 1 Dec 2013 13:31:28 +0100, > Gábor Hársfalvi wrote: > > >Why? > > > >Thanks for all possible answers > > From the Debian description at [1]: > > "Firestarter is no longer developed and is missing some critical > features such as IPv6 support, so users may be advised to look into > more modern alternatives such as gufw." > > To me it looks like (sadly enough) it hasn't had an upstream release > since 2005. [2] > > If I were you, I would look for alternatives. > > [1]: http://packages.debian.org/sid/firestarter > [2]: http://sourceforge.net/projects/firestarter/files/firestarter/ > > -- Andreas Rönnquist > mailingli...@gusnan.se > gus...@gusnan.se > > > -- > To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact > listmas...@lists.debian.org > Archive: http://lists.debian.org/20131201141424.4a206...@debian.lan > > I know its too old - but on other PC-s Firestarter works well with the same system - Debian Squeeze. I just tried gufw too - but its not so good for me - in Firestarter I like Events tab where I can block/unblock anything very quickly. Is there any Firewall for Debian like this? I will try that
Re: Firestarter Events always empty
On Sun, 1 Dec 2013 13:31:28 +0100, Gábor Hársfalvi wrote: >Why? > >Thanks for all possible answers From the Debian description at [1]: "Firestarter is no longer developed and is missing some critical features such as IPv6 support, so users may be advised to look into more modern alternatives such as gufw." To me it looks like (sadly enough) it hasn't had an upstream release since 2005. [2] If I were you, I would look for alternatives. [1]: http://packages.debian.org/sid/firestarter [2]: http://sourceforge.net/projects/firestarter/files/firestarter/ -- Andreas Rönnquist mailingli...@gusnan.se gus...@gusnan.se -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20131201141424.4a206...@debian.lan
Firestarter Events always empty
Why? Thanks for all possible answers
Re: change in behavior of iptables with respect to firestarter
On 10/27/2010 07:23 PM, Rob Owens wrote: I'm inclined to call it a bug in firestarter, but to be sure, test it out with Network Manager instead of wicd. See if you have the same problem. I think you will, which will indicate the problem is with firestarter (or possibly with the way you configured firestarter). -Rob I did try purging firestarter, re-installing it, and starting over with an extremely simple configuration (just basic deny all incoming but without ICMP filtering). It still wouldn't come up on a system configured to work with wicd managing multiple fixed IP addresses. The funny thing is that I have been using firestarter because it was "easy". I also tried gufw as an alternative because it was "easy". With firestarter I could configure the firewall the way I wanted it to work (accepting only ssh connections from particular IP addresses), but it wouldn't start reliably. Gufw was totally reliable in my testing, but didn't offer anything like the flexibility of firestarter in configuration of the firewall. So I just tried using ufw. As far as I'm concerned, it's easier to understand its man pages and use it from the CLI than it is to use the gufw front end. So, I'm happy. I guess I didn't need no stinkin' GUI. ;-) Firestarter is pretty impressive, but it's history for me in my particular circumstances. It looks to me as though they may have compromised their reliability (at least for admittedly somewhat odd cases like mine -- I realize that most people who move among multiple networks these days are using DHCP.) by trying to provide access to so many advanced features through the GUI. I guess it requires a lot of conditionals testing before bringing up the firewall, and it's pretty hard to predict all the possibilities. If I get time this weekend, I'll do as you suggest by setting up a system with Network Manager and Firestarter just to see if I can confirm that the issue lies with Firestarter. If I do so, it will only be in the hope that I just might be able to provide helpful feedback to the developers. I only used firestarter (and then gufw) because I didn't want to get into using iptables for controlling netfilter, but the discovery of ufw has given me a much easier and more satisfying solution -- even though having "Ubuntu" firewall in Debian seems a little heretical. (I was surprised to see it in the repositories. I kind of hope the Debian folks don't decide to drop it.) Thank you very, very much for your consideration, Rob. I know I've been a pest. I'll stop arising from the grave on this one now. Regards, Gilbert -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4cc96c00.4070...@comcast.net
Re: change in behavior of iptables with respect to firestarter
On Tue, Oct 26, 2010 at 02:02:04PM -0400, Gilbert Sullivan wrote: > On 10/23/2010 12:15 PM, Rob Owens wrote: > >> If your firewall script references an IP address (which you don't have >> when the network is down), I think it needs the network to be up in >> order to run. >> >> If the script only references the interface (eth0, for >> example) it might run even if the network is down, as long as the kernel >> is aware of eth0's existence. But I'm not sure how wicd affects this. >> I think your /etc/network/interfaces file will not have anything besides >> the loopback device listed. >> >> -Rob > > Hi, > > I hope you'll pardon my resurrection of this thread. > > Your comments got me to thinking about this. Why would systems running > wicd as the network manager fail to start the firewall when configured > to switch between multiple fixed IP addresses, while other machines > configured for only a single fixed IP address start the firewall without > any trouble? > > I looked at /etc/network/interfaces on the systems with a single fixed > IP address. They contained (of course) the specifications for that > network location. The systems switching among multiple fixed IP > addresses had to have /etc/network/interfaces configured like this: > > ---8< > # This file describes the network interfaces available on your system > # and how to activate them. For more information, see interfaces(5). > > # The loopback network interface > auto lo > iface lo inet loopback > > # The primary network interface > allow-hotplug eth0 > iface eth0 inet static > -------8< > > For grins, I reconfigured /etc/network/interfaces on one of the single > network profile systems and, sure enough, firestarter fails to launch > the firewall. If I switch back to a normal interfaces file, the firewall > starts. > > So, I guess the problem isn't with wicd, per se, but with the way I'm > having to configure /etc/network interfaces in order to use wicd to > switch among multiple network profiles with fixed IP addresses. > > I'm not sure whether I'd call this a bug with firestarter or a bug with > wicd or an unfortunate interaction or (more likely) a bug with the end > user (PEBKAC). > > I'm pretty sure I'm not going to get wicd to work with multiple fixed IP > addresses without setting up /etc/network/interfaces in this manner. I > really like both wicd and firestarter. Would anyone see a chance for me > to get them to work together in my particular circumstances? > I'm inclined to call it a bug in firestarter, but to be sure, test it out with Network Manager instead of wicd. See if you have the same problem. I think you will, which will indicate the problem is with firestarter (or possibly with the way you configured firestarter). -Rob -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20101027232337.gb32...@aurora.owens.net
Re: change in behavior of iptables with respect to firestarter
On 10/23/2010 12:15 PM, Rob Owens wrote: If your firewall script references an IP address (which you don't have when the network is down), I think it needs the network to be up in order to run. If the script only references the interface (eth0, for example) it might run even if the network is down, as long as the kernel is aware of eth0's existence. But I'm not sure how wicd affects this. I think your /etc/network/interfaces file will not have anything besides the loopback device listed. -Rob Hi, I hope you'll pardon my resurrection of this thread. Your comments got me to thinking about this. Why would systems running wicd as the network manager fail to start the firewall when configured to switch between multiple fixed IP addresses, while other machines configured for only a single fixed IP address start the firewall without any trouble? I looked at /etc/network/interfaces on the systems with a single fixed IP address. They contained (of course) the specifications for that network location. The systems switching among multiple fixed IP addresses had to have /etc/network/interfaces configured like this: ---8< # This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). # The loopback network interface auto lo iface lo inet loopback # The primary network interface allow-hotplug eth0 iface eth0 inet static ---8< For grins, I reconfigured /etc/network/interfaces on one of the single network profile systems and, sure enough, firestarter fails to launch the firewall. If I switch back to a normal interfaces file, the firewall starts. So, I guess the problem isn't with wicd, per se, but with the way I'm having to configure /etc/network interfaces in order to use wicd to switch among multiple network profiles with fixed IP addresses. I'm not sure whether I'd call this a bug with firestarter or a bug with wicd or an unfortunate interaction or (more likely) a bug with the end user (PEBKAC). I'm pretty sure I'm not going to get wicd to work with multiple fixed IP addresses without setting up /etc/network/interfaces in this manner. I really like both wicd and firestarter. Would anyone see a chance for me to get them to work together in my particular circumstances? Thanks for your patience and help, Gilbert -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4cc7179c.6070...@comcast.net
Re: change in behavior of iptables with respect to firestarter
On 10/24/2010 07:45 PM, Rob Owens wrote: On Sun, Oct 24, 2010 at 12:20:59PM -0400, Gilbert Sullivan wrote: This is a pretty sophisticated firewall front end, allowing for connection sharing and allowing you to limit service connections to specific IP addresses or IP address ranges, but it's not working reliably for me. And the moderator of their list hasn't bothered to respond to either my request to join the list or to allow an outsider post to the list. You could try posting a bug within Debian. Maybe the package maintainer will be more responsive than upstream, and maybe he's got some advice. -Rob Thanks for the suggestion, Rob. (and for your help) I should consider that. I'll try to put some time together to install it on a test system to see if I can figure out how to go about reporting the problem within Debian. I wasn't thinking about it from that angle. Regards, Gilbert -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4cc4da56.7050...@comcast.net
Re: change in behavior of iptables with respect to firestarter
On Sun, Oct 24, 2010 at 12:20:59PM -0400, Gilbert Sullivan wrote: > This is a pretty sophisticated firewall front end, allowing for > connection sharing and allowing you to limit service connections to > specific IP addresses or IP address ranges, but it's not working > reliably for me. And the moderator of their list hasn't bothered to > respond to either my request to join the list or to allow an outsider > post to the list. > You could try posting a bug within Debian. Maybe the package maintainer will be more responsive than upstream, and maybe he's got some advice. -Rob -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20101024234511.ga14...@aurora.owens.net
Re: change in behavior of iptables with respect to firestarter
On 10/23/2010 02:38 PM, Gilbert Sullivan wrote: ... I'm guessing I should try to run firestarter in the Pre-connection Script field first, and then fall back to using the Post-connection Script field if Pre-connection fails. Now I just have to decide which of the firestarter scripts it makes the most sense to use in this case. I'm guessing from the order in which things appear in the output seen in tty1 that the firestarter script will most likely have to run post-connection? I've manually started firestarter successfully after login with both of the following: # /etc/init.d/firestarter start # /etc/firestarter/firestarter.sh start ... I'll add this note. I spent a fair amount of time trying one alternative after another. First of all, for some reason, trying to get wicd to run firestarter didn't work with either command or in either the pre-connection or post-connection settings. I tried editing /etc/firestarter/firestarter.sh. I was able to get firestarter to start by commenting out some of the checks that script was performing. I'm thinking that the checks wouldn't be there if the developers hadn't thought they were needed for one reason or another. If I'm unwittingly defeating a check that affects the security of the system, I'd rather not do that. I'm also concerned that editing the regular startup scripts could run afoul of other issues. Obviously any update to firestarter might (and probably would) overwrite my customized scripts. That wouldn't be so bad if the danged thing didn't fail without putting a warning in a log or flagging my attention in some other way. This is a pretty sophisticated firewall front end, allowing for connection sharing and allowing you to limit service connections to specific IP addresses or IP address ranges, but it's not working reliably for me. And the moderator of their list hasn't bothered to respond to either my request to join the list or to allow an outsider post to the list. I decided that, rather than have a sophisticated application that I can't rely upon, I'd rather just do without or find a substitute. I was surprised to find gufw in the Debian repositories. (I think it was originally written for use in Ubuntu.) It's not anywhere near as sophisticated as firestarter, but it works, and it appears to have pretty active bugtracker and user list activity. I left firestarter on my wife's systems (where it works) and removed it from mine (where it doesn't). My wife's systems aren't used anywhere but at home on our own network behind a decent router. I'm just going to use gufw on my own systems for now, even though it won't allow me to limit inbound IP addresses. The choice with gufw is to all connections from anywhere or not to allow connections, but at least it's configured per service. I can tighten up ssh configuration on the host to help keep this from being a problem. I kind of feel like a schmuck for dropping firestarter this easily (especially after your attempt to help me with it), but I remember having a similar problem with it in another distro when I was testing a couple of years ago. If you look at the archives for their sourceforge list you can see that this non-starting issue has been around for a long, long time. The fact that I couldn't get a response from them (at least not yet) and the fact that the firewall rules can fail to be applied without any apparent warning to the end user has kind of killed my appetite for trying to work with the application. Many thanks again for your help, Rob Owens and Greg Madden! Regards, Gilbert -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4cc45ceb.7010...@comcast.net
Re: change in behavior of iptables with respect to firestarter
Post Script to Previous Message: The failure of the Scripts button to bring up anything led me to deliberately try entering the wrong password, and that got me a modal dialog: --8<--- Failed to run /usr/share/wicd/gtk/configscript.py 'ourplace' 'wired' as user root. The underlying authorization mechanism (sudo) does not allow you to run this program. Contact the system administrator. --8<--- (ourplace being the name of the home network) So I ran that command from within the terminal, like so # /usr/share/wicd/gtk/configscript.py 'ourplace' 'wired' /usr/share/wicd/gtk/configscript.py:159: GtkWarning: gtk_toolbar_set_icon_size: assertion `icon_size != GTK_ICON_SIZE_INVALID' failed wTree = gtk.glade.XML(gladefile) I'm used to seeing the odd GtkWarning in stdout when running GUI apps from the terminal since I use ssh -X sessions a lot. And the effort does result in presentation of a "Configure Scripts" dialog with four fields and the ubiquitous Cancel / OK buttons. The fields are: Pre-connection Script Post-connection Script Pre-disconnection Script Post-disconnection Script I'm guessing I should try to run firestarter in the Pre-connection Script field first, and then fall back to using the Post-connection Script field if Pre-connection fails. Now I just have to decide which of the firestarter scripts it makes the most sense to use in this case. I'm guessing from the order in which things appear in the output seen in tty1 that the firestarter script will most likely have to run post-connection? I've manually started firestarter successfully after login with both of the following: # /etc/init.d/firestarter start # /etc/firestarter/firestarter.sh start I'm guessing the second one, which seems to check on a bunch of conditions before launching the application, would be the safest (as in closest to intentions of the developers) one to use. Would you have any suggestions, or should I just start plonking away? Thanks again, Gilbert -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4cc32b8f.2060...@comcast.net
Re: change in behavior of iptables with respect to firestarter
On 10/23/2010 12:15 PM, Rob Owens wrote: On Sat, Oct 23, 2010 at 11:53:33AM -0400, Gilbert Sullivan wrote: Starting Network connection manager: wicd. startpar: service(s) returned failure: firestarter ... failed! Running scripts in rc2.d/ took xx seconds. Ah, you're using wicd. For each network connection, click on the "scripts" button. Tell it to run firestarter when the connection is activated. (Ideally you'd want it to run *before* the connection is activated, but it sounds like that isn't going to work based on your experiences). Okay, this is interesting. I just opened wicd and tried configuring it to run firestarter. I clicked on the Scripts button and was presented with a password prompt. I entered the root password, and I saw the mouse cursor switch to its busy graphic, and then it went back to the normal cursor -- with no dialog coming up to specify a script. That's surely not a design intention. (Reminds me of the little black boxes with a tiny switch on the top. You moved the switch, the box started making odd noises, the lid would lift, a little hand would come out to shove the switch back to off, the hand would withdraw into the box, and the lid would snap shut.) Should I try manually editing the wicd startup script? I'm concerned that my efforts in that area may have undesired consequences if they aren't performed properly. I'm not worried about screwing it up so that it won't run. That would be easy enough to fix by restoring the script to its initial state. What I'm worried about is the possibility of messing up the way the script works in respect to its behaviors for some or all of the various conditions that I see the firestarter scripts specifying. I wouldn't want to compromise the security of the configuration unawares. On a related note, if I can get firestarter called successfully from the script that starts wicd, would it be a good idea to remove the init.d call to the firestarter script? Am I correct in assuming that would be accomplished merely by removing the /etc/rc2.d/S19firestarter file? ... I tried editing /etc/rc2.d/S19kerneloops, which seems to be the next script to be executed after /etc.rc2.d/S19firestarter, but I couldn't see anything. I just added read at the beginning of that script. Is that what you were suggesting? The gdm screen came up and blocked my view of the scrolling text. When I switched to tty1 I just saw these lines That is what I was suggesting. But I guess my suggestion didn't work... And yes, a "read" statement in bash is like a "pause" statement in DOS batch. Thank you for that. This conversation is proving to me that I really should get off my figurative duff and start studying this new (to me) operating system. I've used computers every day since the early 60s, but they were always the systems WITH which I did my work rather than the system ON which I did my work -- if you get my meaning. Even given that, I had to learn a lot more about the earlier computing systems because I had to in order to make them do what I wanted. Oddly enough, coming to GNU/Linux has been like a vacation in comparison, despite the common sentiment that it's a tough operating system to use. These are just our personal systems, and everything we have used has "just worked". I've had to read a few man files from time-to-time, and I've even made a couple of bug reports, but it has been easy street compared to my travails on systems like Windows where getting precise information about how something works in the background isn't always very easy. (If it's hard in GNU/Linux, it's just because the system is complex or because there's some missing documentation, not because someone is trying to protect IP "rights".) This seems all very logical, if a little maze-like at times. If your firewall script references an IP address (which you don't have when the network is down), I think it needs the network to be up in order to run. If the script only references the interface (eth0, for example) it might run even if the network is down, as long as the kernel is aware of eth0's existence. But I'm not sure how wicd affects this. I think your /etc/network/interfaces file will not have anything besides the loopback device listed. -Rob It appears to me that the script is only referencing the interface, but that's only a guess from a cursory inspection. I haven't looked through all of the referenced files and environment settings to be certain. It appears that you've determined essentially what my problem is. If I can find out how to cause wicd to make the firestarter script run without causing unwanted side effects I think I should have a solution for my problem. I'll muddle this over and do some experiments to see what happens. Than
Re: change in behavior of iptables with respect to firestarter
On Sat, Oct 23, 2010 at 11:53:33AM -0400, Gilbert Sullivan wrote: > > Starting Network connection manager: wicd. > startpar: service(s) returned failure: firestarter ... failed! > Running scripts in rc2.d/ took xx seconds. > Ah, you're using wicd. For each network connection, click on the "scripts" button. Tell it to run firestarter when the connection is activated. (Ideally you'd want it to run *before* the connection is activated, but it sounds like that isn't going to work based on your experiences). > I'm guessing that maybe the firewall isn't starting because the network > connection hasn't yet been established. My wife's systems both have only > one network configuration. My systems have two network configurations. > Even though I usually remember to set wicd to use the next network I'm > going to be using before I shut down, do you suppose it's possible that > the multiple network connections configuration causes some change in > behavior that slows the establishment of a connection, and that could be > the reason the firewall isn't coming up when the systems are started? > I'm not sure what the reason for the different behaviour of the two systems is. > I tried editing /etc/rc2.d/S19kerneloops, which seems to be the next > script to be executed after /etc.rc2.d/S19firestarter, but I couldn't > see anything. I just added > > read > > at the beginning of that script. Is that what you were suggesting? The > gdm screen came up and blocked my view of the scrolling text. When I > switched to tty1 I just saw these lines > That is what I was suggesting. But I guess my suggestion didn't work... And yes, a "read" statement in bash is like a "pause" statement in DOS batch. If your firewall script references an IP address (which you don't have when the network is down), I think it needs the network to be up in order to run. If the script only references the interface (eth0, for example) it might run even if the network is down, as long as the kernel is aware of eth0's existence. But I'm not sure how wicd affects this. I think your /etc/network/interfaces file will not have anything besides the loopback device listed. -Rob -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20101023161523.ga3...@aurora.owens.net
Re: change in behavior of iptables with respect to firestarter
On 10/23/2010 08:16 AM, Rob Owens wrote: What if the network isn't up when firestarter is asked to start? Would it start anyway? Would it fail to start and log an error? Or would it fail silently? I'm not sure of the answers to the above. Maybe you could try shutting down your network manually, then start firestarter manually, and see what happens. Good call. I booted the systems and disconnected their network connectors. I tried two commands with results as follows: # /etc/init.d/firestarter start Starting the Firestarter firewall... failed! # /etc/firestarter/firestarter.sh start External network device eth0 is not ready. Aborting.. Greg Madden had suggested looking at the /etc.rc2.d/S19firestarter link, and that's what led me to trying those two different commands. I had finally pulled my head out and realized that I might see something if I switched to tty1. As I told Greg, this is what I found: Starting MTA: exim4. Starting the Firestarter firewall... failed! Starting kerneloops: ...and, a little later... Starting Network connection manager: wicd. startpar: service(s) returned failure: firestarter ... failed! Running scripts in rc2.d/ took xx seconds. After a reboot and logging in each time, if I have a working network connection, either of the aforementioned commands succeeds. I'm guessing that maybe the firewall isn't starting because the network connection hasn't yet been established. My wife's systems both have only one network configuration. My systems have two network configurations. Even though I usually remember to set wicd to use the next network I'm going to be using before I shut down, do you suppose it's possible that the multiple network connections configuration causes some change in behavior that slows the establishment of a connection, and that could be the reason the firewall isn't coming up when the systems are started? Another idea: You could edit /etc/init.d/firestarter to make it pause long enough that you can read any errors on the boot screen. Just enter a "read" statement where you want it to pause. On second thought, it might be easier to put the "read" statement at the beginning of the script that comes *after* firestarter in the boot process. That'll be the file in /etc/rc2.d that comes after the firestarter script (in alphanumeric order). Note, you have to hit to get past the "read" statement. -Rob I tried editing /etc/rc2.d/S19kerneloops, which seems to be the next script to be executed after /etc.rc2.d/S19firestarter, but I couldn't see anything. I just added read at the beginning of that script. Is that what you were suggesting? The gdm screen came up and blocked my view of the scrolling text. When I switched to tty1 I just saw these lines Starting the Firestarter firewall... failed! read: 1: arg count $Starting kerneloops: instead of Starting the Firestarter firewall... failed! Starting kerneloops: Sorry if I'm being dumb. I don't know what a read statement is, but I figured it would be sort of like adding pause in a DOS batch file? Thanks again for your time and effort, Gilbert -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4cc304fd.6080...@comcast.net
Re: change in behavior of iptables with respect to firestarter
On 10/23/2010 04:57 AM, Greg Madden wrote: Runlevel 2 is the default runlevel. Look for a link: '/etc/rc2.d/Sxxfirestarter -> ../init.d/firestarter' Hi, Greg. Thanks to you and Rob I'm getting a bit of an education. I found /etc/rc2.d/S19firestarter. It does not contain any apparent (to me) direct reference to the /etc/init.d/firestarter file. This is an excerpt from /etc/rc2.d/S19firestarter. -8< . /lib/lsb/init-functions FS_CONTROL="/etc/firestarter/firestarter.sh" [ -x /usr/sbin/firestarter ] || exit 0 [ -x $FS_CONTROL ] || exit 0 [ -s /etc/firestarter/configuration ] || exit 0 -8< It looks it's starting a script called firestarter.sh, and that's running a bunch of tests, the outcome of which determine what firestarter is supposed to do? (I'm asking here, but it seems that's what's going on.) What has perplexed me about all of this is the lack of any kind of warning being issued in the Firestarter GUI -- and no apparent (to me) warnings to be found in dmesg or syslog. I had brought the systems to the other network and tried to connect by SSH from notebook to desktop. I couldn't do it because I had forgot to tell Wicd about the change in networks. (I use fixed IP addresses both at home and at the alternative network.) I told Wicd to change the network settings to the profile I use on the alternate network. Then I corrected from notebook to desktop right away. But I realized that this should not have been possible because I had not changed the firewall rules in the desktop firewall's incoming policy. I cranked up firestarter on the desktop and lost my connection. After a little bit of head scratching, here I am. Now that I'm home I suddenly hit upon a cunning plan. I played around with two other Debian testing systems (my wife's), and I learned that irestarter is working perfectly on her systems. There's no sign of the problem on them, and firestarter works on them exactly the way I remember it working on my systems. As far as I know, all four systems (her two, and the two of mine that are malfunctioning) have been configured almost identically. So I went to her systems and hit ++ to get tty1, and I can definitely see a difference on that screen. On her two systems with firestarter running properly there are no hints of trouble. On both of mine I see the following: Starting MTA: exim4. Starting the Firestarter firewall... failed! Starting kerneloops: ...and, a little later... Starting Network connection manager: wicd. startpar: service(s) returned failure: firestarter ... failed! Running scripts in rc2.d/ took xx seconds. On both of her systems I see the same thing -- except, of course, for the two "failed!" warnings. So, at least I know how I can tell whether or not my firewall has started. Just look at tty1. (Where would those failures be logged?) I did try issuing the command on both of my computers after booting, and that succeeded with no warnings. # /etc/init.d/firestarter start Firewall started When I check with "iptables -L" I can see that the rules are now in place. So I guess from all of this evidence that firestarter is being called properly, but that some condition for its startup is not being met and is causing the failure. And then I rebooted (showing the same failures in tty1) and tried starting the firewall this way. # /etc/firestarter/firestarter.sh start Firewall started and that worked, too. So whatever wasn't allowing the script to work before gdm pops up is no longer defeating it after I've logged on to the systems. I'm sorry to be writing a book. This is interesting. I guess it's going to take some more digging to find out why the firewalls on these two systems are failing. Could it be simply that they both have two network configurations and my wife's systems only have one? That's the only significant configuration difference that I can think of. I appreciate your help, Gilbert -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4cc304f7.9090...@comcast.net
Re: change in behavior of iptables with respect to firestarter
On Fri, Oct 22, 2010 at 10:03:59PM -0400, Gilbert Sullivan wrote: > As root I ran > > /etc/init.d/firestarter start > > and I got > > Starting the Firestarter firewall > > I ran > > iptables -L > > and I could see that iptables is properly doing "its thing". The rules > are in place! > > So, for some reason, firestarter isn't being started during the boot > process. > > So, I guess I have to find out whether the fact that firestarter isn't > being started is because a) it hasn't been asked to start, or b) it has > been asked to start, but with insufficient credentials (or, in some > other manor, improperly). Have I got that right? > What if the network isn't up when firestarter is asked to start? Would it start anyway? Would it fail to start and log an error? Or would it fail silently? I'm not sure of the answers to the above. Maybe you could try shutting down your network manually, then start firestarter manually, and see what happens. Another idea: You could edit /etc/init.d/firestarter to make it pause long enough that you can read any errors on the boot screen. Just enter a "read" statement where you want it to pause. On second thought, it might be easier to put the "read" statement at the beginning of the script that comes *after* firestarter in the boot process. That'll be the file in /etc/rc2.d that comes after the firestarter script (in alphanumeric order). Note, you have to hit to get past the "read" statement. -Rob -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20101023121600.ga1...@aurora.owens.net
Re: change in behavior of iptables with respect to firestarter
On Friday 22 October 2010 18:13:54 Gilbert Sullivan wrote: > On 10/22/2010 07:42 PM, Greg Madden wrote: > > On Friday 22 October 2010 14:57:15 Gilbert Sullivan wrote: > >> On 10/22/2010 06:00 PM, Greg Madden wrote: > >>> On Friday 22 October 2010 11:00:40 Gilbert Sullivan wrote: > >>>> Does this have something to do with Firestarter being started (or not > >>>> started) at different run levels during startup? I briefly see > >>>> something about it scrolling by, but I never get a chance to read it. > >>> > >>> You can use 'dmesg |grep ' to see what happens during boot. > >> > >> Hi, > >> > >> Many thanks for the idea. > >> > >> I get no result from any variation of "fire I can think of to substitute > >> for. > >> > >> I had already pored over dmesg to see if I could find anything, and it > >> was to no avail. (I really have to get off my lazy behind and start > >> studying things like use of grep with the logs.) > >> > >> As I said to Rob, I'm thinking I've got a "project" for the weekend. > >> > >> Ouch! The wife just saw me type that! > >> > >> Regards, > >> Gilbert > > > > 'firestarter' has a script in '/etc/init.d' and gets started by a link in > > a run level, check that out. > > > > As mentioned 'iptables -L' will show if it gets started. This is > > independent of whether or not the 'firestarter' gui is used. > > Hi, > > Yes, as suggested by Rob Owens I ran > > # /etc/init.d/firestarter start > > and the firewall started, with iptables showing the proper behavior when > I issued the "iptables -L" command. > > So it seems, for some reason, that the script isn't being run at > startup. Whether it's due to it not being called at all or whether it's > due to something else is beyond me right now. I've been a couple of days > without sleep (because of issues utterly unrelated to this), and I've > got to get to sleep. > > But, right now, it looks to me as though the system simply hasn't been > asked to start firestarter (if I can trust my very tired brain)! > Otherwise, I'd imagine that I would have seen error messages somewhere. > > It's beyond my ability to comprehend right now. I'll try to tackle this > again in a few hours when I've had some sleep. > > Many thanks for your help. > > Regards, > Gilbert Runlevel 2 is the default runlevel. Look for a link: '/etc/rc2.d/Sxxfirestarter -> ../init.d/firestarter' -- Peace, Greg -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201010230057.27880.gomadtr...@gci.net
Re: change in behavior of iptables with respect to firestarter
On 10/22/2010 07:42 PM, Greg Madden wrote: On Friday 22 October 2010 14:57:15 Gilbert Sullivan wrote: On 10/22/2010 06:00 PM, Greg Madden wrote: On Friday 22 October 2010 11:00:40 Gilbert Sullivan wrote: Does this have something to do with Firestarter being started (or not started) at different run levels during startup? I briefly see something about it scrolling by, but I never get a chance to read it. You can use 'dmesg |grep ' to see what happens during boot. Hi, Many thanks for the idea. I get no result from any variation of "fire I can think of to substitute for. I had already pored over dmesg to see if I could find anything, and it was to no avail. (I really have to get off my lazy behind and start studying things like use of grep with the logs.) As I said to Rob, I'm thinking I've got a "project" for the weekend. Ouch! The wife just saw me type that! Regards, Gilbert 'firestarter' has a script in '/etc/init.d' and gets started by a link in a run level, check that out. As mentioned 'iptables -L' will show if it gets started. This is independent of whether or not the 'firestarter' gui is used. Hi, Yes, as suggested by Rob Owens I ran # /etc/init.d/firestarter start and the firewall started, with iptables showing the proper behavior when I issued the "iptables -L" command. So it seems, for some reason, that the script isn't being run at startup. Whether it's due to it not being called at all or whether it's due to something else is beyond me right now. I've been a couple of days without sleep (because of issues utterly unrelated to this), and I've got to get to sleep. But, right now, it looks to me as though the system simply hasn't been asked to start firestarter (if I can trust my very tired brain)! Otherwise, I'd imagine that I would have seen error messages somewhere. It's beyond my ability to comprehend right now. I'll try to tackle this again in a few hours when I've had some sleep. Many thanks for your help. Regards, Gilbert -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4cc244e2.6020...@comcast.net
Re: change in behavior of iptables with respect to firestarter
On 10/22/2010 08:18 PM, Rob Owens wrote: On Fri, Oct 22, 2010 at 06:48:34PM -0400, Gilbert Sullivan wrote: There is an /etc/init.d/firestarter file and an /etc/firestarter/configuration file (that later one being present in its directory with a whole bunch of other files.). After a fresh reboot, with firestarter not running, what happens if you run: /etc/init.d/firestarter start That's what should be running during bootup. Maybe it'll show you some error messages if you run it from a terminal after bootup. -Rob As root I ran /etc/init.d/firestarter start and I got Starting the Firestarter firewall I ran iptables -L and I could see that iptables is properly doing "its thing". The rules are in place! So, for some reason, firestarter isn't being started during the boot process. So, I guess I have to find out whether the fact that firestarter isn't being started is because a) it hasn't been asked to start, or b) it has been asked to start, but with insufficient credentials (or, in some other manor, improperly). Have I got that right? Since I'm not seeing any error messages in logs, I'm guessing that it hasn't been asked to start -- for some reason. I'm horribly tired, and I've got to get some sleep. I'm going to try to look at this with fresh eyes tomorrow. Thank you so much for continuing to work with me on this. Regards, Gilbert -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4cc2428f.1010...@comcast.net
Re: change in behavior of iptables with respect to firestarter
On Fri, Oct 22, 2010 at 06:48:34PM -0400, Gilbert Sullivan wrote: > > There is an /etc/init.d/firestarter file and an > /etc/firestarter/configuration file (that later one being present in its > directory with a whole bunch of other files.). > After a fresh reboot, with firestarter not running, what happens if you run: /etc/init.d/firestarter start That's what should be running during bootup. Maybe it'll show you some error messages if you run it from a terminal after bootup. -Rob -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20101023001813.ga30...@aurora.owens.net
Re: change in behavior of iptables with respect to firestarter
On Friday 22 October 2010 14:57:15 Gilbert Sullivan wrote: > On 10/22/2010 06:00 PM, Greg Madden wrote: > > On Friday 22 October 2010 11:00:40 Gilbert Sullivan wrote: > >> Does this have something to do with Firestarter being started (or not > >> started) at different run levels during startup? I briefly see something > >> about it scrolling by, but I never get a chance to read it. > > > > You can use 'dmesg |grep ' to see what happens during boot. > > Hi, > > Many thanks for the idea. > > I get no result from any variation of "fire I can think of to substitute > for . > > I had already pored over dmesg to see if I could find anything, and it > was to no avail. (I really have to get off my lazy behind and start > studying things like use of grep with the logs.) > > As I said to Rob, I'm thinking I've got a "project" for the weekend. > > Ouch! The wife just saw me type that! > > Regards, > Gilbert 'firestarter' has a script in '/etc/init.d' and gets started by a link in a run level, check that out. As mentioned 'iptables -L' will show if it gets started. This is independent of whether or not the 'firestarter' gui is used. -- Greg Madden Precision Air Balance, Inc. Phone: (907)276-0461 -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201010221542.58839.p...@gci.net
Re: change in behavior of iptables with respect to firestarter
On 10/22/2010 06:00 PM, Greg Madden wrote: On Friday 22 October 2010 11:00:40 Gilbert Sullivan wrote: Does this have something to do with Firestarter being started (or not started) at different run levels during startup? I briefly see something about it scrolling by, but I never get a chance to read it. You can use 'dmesg |grep ' to see what happens during boot. Hi, Many thanks for the idea. I get no result from any variation of "fire I can think of to substitute for . I had already pored over dmesg to see if I could find anything, and it was to no avail. (I really have to get off my lazy behind and start studying things like use of grep with the logs.) As I said to Rob, I'm thinking I've got a "project" for the weekend. Ouch! The wife just saw me type that! Regards, Gilbert -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4cc216cb.3030...@comcast.net
Re: change in behavior of iptables with respect to firestarter
On 10/22/2010 04:29 PM, Rob Owens wrote: On Fri, Oct 22, 2010 at 03:00:40PM -0400, Gilbert Sullivan wrote: On 10/22/2010 01:56 PM, Rob Owens wrote: On Fri, Oct 22, 2010 at 01:50:11PM -0400, Gilbert Sullivan wrote: list's moderator hasn't got back to me. It appears that the rules I want in iptables are not in effect at all until I actually bring up the Firestarter user interface during a given session. Once I log off (restart not necessary) the rules are apparently reset to the default. You can check this by running (as root): iptables -L If there are no firewall rules active, it will look something like this: Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination -Rob Thanks, Rob. I set up the rules in Firestarter. I reboot. This is what I get: # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination It definitely looks like you have no active firewall until you run firestarter manually. I'm not very familiar with firestarter, but it seems like it should start automatically on boot because as soon as you boot up and get a network connection, you are vulnerable. Yes, indeed. My reading of the firestarter docs indicates that it isn't supposed to matter whether or not you start the application in your operating session. You only start firestarter when you want to change settings -- or if you want to use it to monitor the firewall. It definitely didn't used to behave this way, but it has been a while since I needed to do this, so I have no idea when the behavior changed or what might have caused the change. That means that I've been connecting to that other network with my firewall doing nothing -- which may not matter a lot because I wasn't configured to make any services available since I was using SSH a few months ago. Is there a /etc/default/firestarter file? Does it say to run firestarter at startup? Install and run sysv-rc-conf. Does it say that firestarter is supposed to be started in your runlevel? (default runlevel is 2 for Debian). Are there any other conf files you could check? /etc/firestarter.conf, for instance? No /etc/default/firestarter file and no /etc/firestarter.conf or anything like them. There is an /etc/init.d/firestarter file and an /etc/firestarter/configuration file (that later one being present in its directory with a whole bunch of other files.). I already had sysv-rc-conf. Very nice utility. It shows an X mark for firestarter (firestart$) in run levels 2, 3, 4, 5, and S. It's definitely not sitting in the notification area when I log on, but it never has done that before, and it worked just fine back then. I'm guessing that firestarter isn't starting in any of those run levels -- or at least not in all of them. I looked in syslog and dmesg and didn't see anything that seemed related to either iptables or firestarter. I'm not sure where I should look to find out. This application has always just worked in that it never came up automatically in the user's session, but iptables was definitely configured and operating properly without firestarter being up and running visibly. I don't know when this changed, but I definitely tested it enough when I used it before to know that I could only connect from a specific IP address. (I moved these systems from network to network back then, and I would always have to open firestarter on the desktop to change the rule to allow a different IP address for the notebook on a different network.) I've tried registering for the moderated firestarter list so I could post for help there, but I've received no response from the moderator. And I tried to post directly without waiting for a subscription, but was rebuffed by an automated bounce telling me that I'd be notified if the moderator decided to let my post go to the list. In the meantime I can be sort of safe on that oddball network (It's the only other network I do this on besides my home network.) by manually launching the application every time I log in, though this is obviously not a very good solution. I use Xfce as my DE, so firestarter seems to be about my only simple / GUI alternative without installing a bunch of KDE packages. (I think there are three or four GUI-type firewall configurers for KDE.) It's the beginning of the weekend. I guess I've got a project to work on. ;-) Thank you for your help. Please let me know if you can think of a good way to proceed. Otherwise, I'm just going to have to do some sloggi
Re: change in behavior of iptables with respect to firestarter
On Friday 22 October 2010 11:00:40 Gilbert Sullivan wrote: > Does this have something to do with Firestarter being started (or not > started) at different run levels during startup? I briefly see something > about it scrolling by, but I never get a chance to read it. You can use 'dmesg |grep ' to see what happens during boot. -- Peace, Greg -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201010221400.15122.gomadtr...@gci.net
Re: change in behavior of iptables with respect to firestarter
On Fri, Oct 22, 2010 at 03:00:40PM -0400, Gilbert Sullivan wrote: > On 10/22/2010 01:56 PM, Rob Owens wrote: >> On Fri, Oct 22, 2010 at 01:50:11PM -0400, Gilbert Sullivan wrote: >>> list's moderator hasn't got back to me. It appears that the rules I want >>> in iptables are not in effect at all until I actually bring up the >>> Firestarter user interface during a given session. Once I log off >>> (restart not necessary) the rules are apparently reset to the default. >>> >> You can check this by running (as root): >> >> iptables -L >> >> If there are no firewall rules active, it will look something like this: >> >> Chain INPUT (policy ACCEPT) >> target prot opt source destination >> >> Chain FORWARD (policy ACCEPT) >> target prot opt source destination >> >> Chain OUTPUT (policy ACCEPT) >> target prot opt source destination >> >> -Rob > > Thanks, Rob. > > I set up the rules in Firestarter. I reboot. This is what I get: > > # iptables -L > Chain INPUT (policy ACCEPT) > target prot opt source destination > > Chain FORWARD (policy ACCEPT) > target prot opt source destination > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > It definitely looks like you have no active firewall until you run firestarter manually. I'm not very familiar with firestarter, but it seems like it should start automatically on boot because as soon as you boot up and get a network connection, you are vulnerable. Is there a /etc/default/firestarter file? Does it say to run firestarter at startup? Install and run sysv-rc-conf. Does it say that firestarter is supposed to be started in your runlevel? (default runlevel is 2 for Debian). Are there any other conf files you could check? /etc/firestarter.conf, for instance? -Rob -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20101022202944.ga28...@aurora.owens.net
Re: change in behavior of iptables with respect to firestarter
On 10/22/2010 01:56 PM, Rob Owens wrote: On Fri, Oct 22, 2010 at 01:50:11PM -0400, Gilbert Sullivan wrote: list's moderator hasn't got back to me. It appears that the rules I want in iptables are not in effect at all until I actually bring up the Firestarter user interface during a given session. Once I log off (restart not necessary) the rules are apparently reset to the default. You can check this by running (as root): iptables -L If there are no firewall rules active, it will look something like this: Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination -Rob Thanks, Rob. I set up the rules in Firestarter. I reboot. This is what I get: # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination # iptables -S -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT Now I start the Firestarter GUI, and I repeat the two iptables commands (Sorry for the length of the output. I broke up the output from the two commands with dashed lines to help a little with parsing): -- # iptables -L Chain INPUT (policy DROP) target prot opt source destination ACCEPT tcp -- resolver1.opendns.com anywheretcp flags:!FIN,SYN,RST,ACK/SYN ACCEPT udp -- resolver1.opendns.com anywhere ACCEPT tcp -- resolver2.opendns.com anywheretcp flags:!FIN,SYN,RST,ACK/SYN ACCEPT udp -- resolver2.opendns.com anywhere ACCEPT all -- anywhere anywhere ACCEPT icmp -- anywhere anywherelimit: avg 10/sec burst 5 DROP all -- anywhere 255.255.255.255 DROP all -- anywhere 192.168.9.255 DROP all -- BASE-ADDRESS.MCAST.NET/8 anywhere DROP all -- anywhere BASE-ADDRESS.MCAST.NET/8 DROP all -- 255.255.255.255 anywhere DROP all -- anywhere default DROP all -- anywhere anywherestate INVALID LSIall -f anywhere anywherelimit: avg 10/min burst 5 INBOUNDall -- anywhere anywhere LOG_FILTER all -- anywhere anywhere LOGall -- anywhere anywhereLOG level info prefix `Unknown Input' Chain FORWARD (policy DROP) target prot opt source destination ACCEPT icmp -- anywhere anywherelimit: avg 10/sec burst 5 LOG_FILTER all -- anywhere anywhere LOGall -- anywhere anywhereLOG level info prefix `Unknown Forward' Chain OUTPUT (policy DROP) target prot opt source destination ACCEPT tcp -- 192.168.9.22 resolver1.opendns.com tcp dpt:domain ACCEPT udp -- 192.168.9.22 resolver1.opendns.com udp dpt:domain ACCEPT tcp -- 192.168.9.22 resolver2.opendns.com tcp dpt:domain ACCEPT udp -- 192.168.9.22 resolver2.opendns.com udp dpt:domain ACCEPT all -- anywhere anywhere DROP all -- BASE-ADDRESS.MCAST.NET/8 anywhere DROP all -- anywhere BASE-ADDRESS.MCAST.NET/8 DROP all -- 255.255.255.255 anywhere DROP all -- anywhere default DROP all -- anywhere anywherestate INVALID OUTBOUND all -- anywhere anywhere LOG_FILTER all -- anywhere anywhere LOGall -- anywhere anywhereLOG level info prefix `Unknown Output' Chain INBOUND (1 references) target prot opt source destination ACCEPT tcp -- anywhere anywherestate RELATED,ESTABLISHED ACCEPT udp -- anywhere anywherestate RELATED,ESTABLISHED LSIall -- anywhere anywhere Chain LOG_FILTER (5 references) target prot opt source destination Chain LSI (2 references) target prot opt source destination LOG_FILTER all -- anywhere anywhere LOGtcp -- anywhere anywheretcp flags:FIN,SYN,RST,ACK/SYN limit: avg 1/sec burst 5 LOG level info prefix `Inbound ' DROP tcp -- anywhere anywheretcp flags:FIN,SYN,RST,ACK/SYN LOGtcp -- anywhere anywheretcp flags:FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5 LOG level info prefix `Inbound ' DROP tcp -- anywhere anywheretcp flags:FIN,SYN,RST,A
Re: change in behavior of iptables with respect to firestarter
On Fri, Oct 22, 2010 at 01:50:11PM -0400, Gilbert Sullivan wrote: > list's moderator hasn't got back to me. It appears that the rules I want > in iptables are not in effect at all until I actually bring up the > Firestarter user interface during a given session. Once I log off > (restart not necessary) the rules are apparently reset to the default. > You can check this by running (as root): iptables -L If there are no firewall rules active, it will look something like this: Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination -Rob -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20101022175614.ga28...@aurora.owens.net
change in behavior of iptables with respect to firestarter
I'm running Firestarter 1.0.3 on Debian testing (both systems involved in this message). A number of months ago I was in a situation where I wanted to establish an SSH connection from my notebook to a desktop system. Because the network on which this desktop system resides is less well controled than I'd like I used Firestarter to configure the iptables to allow connections on port 22 only from one specific IP address, the one assigned to the notebook. At that time, no system with any other IP address could connect to the desktop. (I tested it.) Now that I need to use the notebook again at this location and want to use the systems in the same way again I find that I can connect to that desktop from ANY IP address on the network. When I look at the policy page in Firestarter on the desktop I see that only the one IP address assigned to the notebook is supposed to be allowed to connect on port 22. (There are no other exceptions.) If I manually start Firestarter on the desktop, then I can only connect to it from the specified IP address. After I reboot the desktop I can once again connect to the desktop from any IP address, given that I use the correct user name and password, of course. I checked the other way around by trying to connect to the notebook from the desktop. The notebook is "promiscuous", too -- unless I actually have started Firestarter during an operating session, I will be able to connect to the notebook from the desktop (as long as I have the correct user name and password) even though I have set the notebook to allow no connections whatsoever. This is not how it used to work. A few months ago, regardless of whether or not I actually started the Firestarter interface during a session, the policy applied to iptables by Firestarter would hold for these systems through restarts. Could someone help me, please? I tried searching the firestarter list's archive, and I tried to join their list and post this question, but the list's moderator hasn't got back to me. It appears that the rules I want in iptables are not in effect at all until I actually bring up the Firestarter user interface during a given session. Once I log off (restart not necessary) the rules are apparently reset to the default. Regards, Gilbert -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4cc1ced3.7050...@comcast.net
Re: Replacement for firestarter?
Todd A. Jacobs wrote at 2009-11-10 14:30 -0600: > I'm not really looking for a static firewall builder (e.g. fwbuilder or > lokkit), but something that approximates the "allow/deny current > traffic" features of firestarter. I am new to netfilter, etc. and have been doing research recently on firewall options and trying to learn about what is available and how it all works. One package I came across, mason, is designed to learn and display the rules you need as the traffic flows; perhaps you should try it. signature.asc Description: Digital signature
Replacement for firestarter?
I really like using firestarter, as the realtime traffic logs and allow/deny interface are exceedingly useful to me. However, I know that it's been dead upstream for a long time, and I was hoping someone knew of a well-maintained replacement. I'm not really looking for a static firewall builder (e.g. fwbuilder or lokkit), but something that approximates the "allow/deny current traffic" features of firestarter. Thanks in advance! -- "Oh, look: rocks!" -- Doctor Who, "Destiny of the Daleks" -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Re: Bridging with firestarter and dhcp3-server.[SOLVED]
Daryl Styrk wrote: I'm attempting to bridge wlan0 with eth0. I've done this successfully in the past with firestarter and dhcp3-server. However I'm running into some issues trying to set this up now. What I have done in the past is set eth0 static, and enabled internet connection sharing in firestarter. Which ends up with the following configuration files. cat /etc/network/interfaces # The loopback network interface auto lo iface lo inet loopback # The primary network interface allow-hotplug eth0 iface eth0 inet static address 192.168.0.1 netmask 255.255.255.0 auto eth0 $ cat /etc/dhcp3/dhcpd.conf # DHCP configuration generated by Firestarter ddns-update-style interim; ignore client-updates; subnet 192.168.0.0 netmask 255.255.255.0 { option routers 192.168.0.1; option subnet-mask 255.255.255.0; option domain-name-servers 10.0.1.1; option ip-forwarding off; range dynamic-bootp 192.168.0.100 192.168.0.254; default-lease-time 21600; max-lease-time 43200; } After a restart of networking, firestarter, and dhcp3-server all was well. This has worked on 3 separate instances. However, now after restarting all services and attempting to request an address on eth0 from another machine it fails with "No working leases in persistent database - sleeping." I can see the interface eth0 here on the laptop and while requesting the address the lights are not flashing like they usually would which leads me to believe the bridge/dhcp server isn't working. I'm a bit lost where to start, I've looked through the logs for any failurs, errors etc. # grep error /var/log/messages Mar 21 13:38:16 t61 kernel: [51443.770985] firestarter[13057]: segfault at 65726952 ip b72b1452 sp b6965300 error 6 in libglib-2.0.so.0.1600.6[b725b000+b4000] Mar 21 13:53:12 t61 kernel: [52343.228568] firestarter[18697]: segfault at 65726952 ip b739c452 sp b5dc0300 error 6 in libglib-2.0.so.0.1600.6[b7346000+b4000] Mar 21 14:07:56 t61 kernel: [ 764.930775] firestarter[7807]: segfault at 117808 ip b71b0ebc sp b5dff17c error 4 in libc-2.7.so[b7142000+155000] Mar 21 15:21:03 t61 kernel: [ 3080.508699] firestarter[11594]: segfault at 6e657651 ip b71cdf61 sp bfe6fc04 error 4 in libc-2.7.so[b715f000+155000] I have no idea about segfaults. I've never encountered one that I was aware of. I have since restarted everything again after finding these in the logs to see if it would be reproduced, but they were not. Daryl Replying to myself... Turns out above steps for bridging/dhcp still work fine. It seems the Debian installer was refusing to request an address from the laptop/dhcp server. However, once I moved the machine to a wire off the modem, it picked up an address just fine. Then of course when the install was finished, there is no problem requesting an address from the laptop/dhcp server. Strange. Any ideas why that would be? Daryl -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bridging with firestarter and dhcp3-server.
I'm attempting to bridge wlan0 with eth0. I've done this successfully in the past with firestarter and dhcp3-server. However I'm running into some issues trying to set this up now. What I have done in the past is set eth0 static, and enabled internet connection sharing in firestarter. Which ends up with the following configuration files. cat /etc/network/interfaces # The loopback network interface auto lo iface lo inet loopback # The primary network interface allow-hotplug eth0 iface eth0 inet static address 192.168.0.1 netmask 255.255.255.0 auto eth0 $ cat /etc/dhcp3/dhcpd.conf # DHCP configuration generated by Firestarter ddns-update-style interim; ignore client-updates; subnet 192.168.0.0 netmask 255.255.255.0 { option routers 192.168.0.1; option subnet-mask 255.255.255.0; option domain-name-servers 10.0.1.1; option ip-forwarding off; range dynamic-bootp 192.168.0.100 192.168.0.254; default-lease-time 21600; max-lease-time 43200; } After a restart of networking, firestarter, and dhcp3-server all was well. This has worked on 3 separate instances. However, now after restarting all services and attempting to request an address on eth0 from another machine it fails with "No working leases in persistent database - sleeping." I can see the interface eth0 here on the laptop and while requesting the address the lights are not flashing like they usually would which leads me to believe the bridge/dhcp server isn't working. I'm a bit lost where to start, I've looked through the logs for any failurs, errors etc. # grep error /var/log/messages Mar 21 13:38:16 t61 kernel: [51443.770985] firestarter[13057]: segfault at 65726952 ip b72b1452 sp b6965300 error 6 in libglib-2.0.so.0.1600.6[b725b000+b4000] Mar 21 13:53:12 t61 kernel: [52343.228568] firestarter[18697]: segfault at 65726952 ip b739c452 sp b5dc0300 error 6 in libglib-2.0.so.0.1600.6[b7346000+b4000] Mar 21 14:07:56 t61 kernel: [ 764.930775] firestarter[7807]: segfault at 117808 ip b71b0ebc sp b5dff17c error 4 in libc-2.7.so[b7142000+155000] Mar 21 15:21:03 t61 kernel: [ 3080.508699] firestarter[11594]: segfault at 6e657651 ip b71cdf61 sp bfe6fc04 error 4 in libc-2.7.so[b715f000+155000] I have no idea about segfaults. I've never encountered one that I was aware of. I have since restarted everything again after finding these in the logs to see if it would be reproduced, but they were not. Daryl -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Re: iptables/firestarter
On Fri January 16 2009, Jeff Soules wrote: > Personally, I do this: > > Ensure that you have your firewall rules set up as you wish them. > Then, edit /etc/network/interfaces to add the following: > > # Bring up firewall > pre-up iptables-restore < /etc/iptables.rules > > # And save fw state on shutdown > post-down iptables-save -c > /etc/iptables.rules a few people have mentioned this method, and it seems straight forward.. thanks, I set this up.. hopefully next year, when I reboot, it will update:) oh, wait, I gotta add a replacement drive soon.. brand-new Seagate Barracuda drive locked up and quit yesterd...@!!!@!!! -- Paul Cartwright Registered Linux user # 367800 Registered Ubuntu User #12459 -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Re: iptables/firestarter
>> on my system but it isn't running, and I don't think I ever set it up. All I >> want is for my web port rule to start every time I boot, but I can't find >> anywhere in the system where iptables is saved, or where to put this one line >> rule so it starts every time. http://www.debian-administration.org/articles/615 has more information about this topic. Personally, I do this: Ensure that you have your firewall rules set up as you wish them. Then, edit /etc/network/interfaces to add the following: # Bring up firewall pre-up iptables-restore < /etc/iptables.rules # And save fw state on shutdown post-down iptables-save -c > /etc/iptables.rules However, people seem to be saying that this may have drawbacks, as if you add a bad rule or otherwise negatively alter your ruleset, it would get automatically saved. Since I make all edits to my iptables rules in a shell script that I source when I want to change them, I'm not too worried about that, but you can see several alternate solutions from the link above. Hope this helps! On Fri, Jan 16, 2009 at 10:35 PM, Umarzuki Mochlis wrote: > Perhaps you can run > # update-rc.d > > To make iptables start at boot-up for every runlevel. never tried this > but i read from http://www.rexx.com/~dkuhlman/iptables_install.html > (check step number 7) > > 2009/1/17 Paul Cartwright : >> I am having a small problem with my system. I started a small web server, so >> I >> could share photos. nginx & gallery2 are working just fine, easy to setup and >> use! The problem is, I just rebooted, and I have to rerun the iptables >> command to open port 80 for my web server again. I see there is firestarter >> on my system but it isn't running, and I don't think I ever set it up. All I >> want is for my web port rule to start every time I boot, but I can't find >> anywhere in the system where iptables is saved, or where to put this one line >> rule so it starts every time. >> wiki.debian.org didn't have an iptables section, just shorewall. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Re: iptables/firestarter
Perhaps you can run # update-rc.d To make iptables start at boot-up for every runlevel. never tried this but i read from http://www.rexx.com/~dkuhlman/iptables_install.html (check step number 7) 2009/1/17 Paul Cartwright : > I am having a small problem with my system. I started a small web server, so I > could share photos. nginx & gallery2 are working just fine, easy to setup and > use! The problem is, I just rebooted, and I have to rerun the iptables > command to open port 80 for my web server again. I see there is firestarter > on my system but it isn't running, and I don't think I ever set it up. All I > want is for my web port rule to start every time I boot, but I can't find > anywhere in the system where iptables is saved, or where to put this one line > rule so it starts every time. > wiki.debian.org didn't have an iptables section, just shorewall. > -- > Paul Cartwright > Registered Linux user # 367800 > Registered Ubuntu User #12459 > > > -- > To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org > > -- Regards, Umarzuki Mochlis http://gameornot.net -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
iptables/firestarter
I am having a small problem with my system. I started a small web server, so I could share photos. nginx & gallery2 are working just fine, easy to setup and use! The problem is, I just rebooted, and I have to rerun the iptables command to open port 80 for my web server again. I see there is firestarter on my system but it isn't running, and I don't think I ever set it up. All I want is for my web port rule to start every time I boot, but I can't find anywhere in the system where iptables is saved, or where to put this one line rule so it starts every time. wiki.debian.org didn't have an iptables section, just shorewall. -- Paul Cartwright Registered Linux user # 367800 Registered Ubuntu User #12459 -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Re: Firestarter dumping blocked events to console
On 04/09/2008 10:24 PM, Amit Uttamchandani wrote: Hi there, I installed firestarter on Debian Etch. From my understanding it is pretty much a front end to the ipstarter firewall. Everything has been going great except for one minor annoyance... Every time I connect to the campus network I get bombarded with broadcast SMB packets...fro my understanding, addresses of printers and shared drives...iTunes maybe? [...] Perhaps you need to set the logging message level through dmesg. Look at "man dmesg" and investigate the "-n" option. Once you've found the correct value to provide for "-n," you would place the appropriate command in /etc/init.d/rc.local or a custom init script, e.g.: dmesg -n4 On my own machine, I wouldn't have any reservation with placing the command inside of /etc/init.d/firestarter, but that's just me ;-) Also, you can do the same thing by setting the "-c" option for klogd (/etc/init.d/klogd). Good luck. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Firestarter dumping blocked events to console
On Wed, Apr 09, 2008 at 08:24:40PM -0700, Amit Uttamchandani wrote: > Hi there, > > I installed firestarter on Debian Etch. From my understanding it is pretty > much a front end to the ipstarter firewall. Everything has been going great > except for one minor annoyance... ... > > Anyways, as soon as the laptop boots..i see all the dmesgs and everything is > fine...when the iptables starts ... it starts dumping everything to the > console. Thus, I don't know when start up has completed and the login prompt > has been displayed (I don't use an X login manager). I just blindly type my > username and password and hope that it works. > > So is there anyway to redirect the output of the blocked connections for > iptables? > > Here is the tail of dmesg by the way... > > Inbound IN=eth2 OUT= MAC=ff:ff:ff:ff:ff:ff:xx:xx:xx:xx:xx:xx:xx:xx > SRC=130.166.175.175 DST=130.166.175.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 > ID=27327 PROTO=UDP SPT=137 DPT=137 LEN=58 > Inbound IN=eth2 OUT= MAC=ff:ff:ff:ff:ff:ff:xx:xx:xx:xx:xx:xx:xx:xx > SRC=130.166.173.13 DST=130.166.175.255 LEN=229 TOS=0x00 PREC=0x00 TTL=128 > ID=40118 PROTO=UDP SPT=138 DPT=138 LEN=209 > look at /etc/sysctl.conf, there is a line you can uncomment to reduce low level kernel messages on the console: kernel.printk = 4 4 1 7 also, look at the log level you are using in your firestarter config. I'm not familiar with firestarter, but shorewall lets you set the log level of different kinds actions the firewall performs. I'm confident there is a way to do it through firestarter as well. A signature.asc Description: Digital signature
Firestarter dumping blocked events to console
Hi there, I installed firestarter on Debian Etch. From my understanding it is pretty much a front end to the ipstarter firewall. Everything has been going great except for one minor annoyance... Every time I connect to the campus network I get bombarded with broadcast SMB packets...fro my understanding, addresses of printers and shared drives...iTunes maybe? Anyways, as soon as the laptop boots..i see all the dmesgs and everything is fine...when the iptables starts ... it starts dumping everything to the console. Thus, I don't know when start up has completed and the login prompt has been displayed (I don't use an X login manager). I just blindly type my username and password and hope that it works. So is there anyway to redirect the output of the blocked connections for iptables? Here is the tail of dmesg by the way... Inbound IN=eth2 OUT= MAC=ff:ff:ff:ff:ff:ff:xx:xx:xx:xx:xx:xx:xx:xx SRC=130.166.175.175 DST=130.166.175.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=27327 PROTO=UDP SPT=137 DPT=137 LEN=58 Inbound IN=eth2 OUT= MAC=ff:ff:ff:ff:ff:ff:xx:xx:xx:xx:xx:xx:xx:xx SRC=130.166.173.13 DST=130.166.175.255 LEN=229 TOS=0x00 PREC=0x00 TTL=128 ID=40118 PROTO=UDP SPT=138 DPT=138 LEN=209 And there are hundreds of these lines...I replaced all the destination mac addresses with XX values... Thanks, Amit -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Firestarter
On Sun December 2 2007, Darko wrote: > > Kmenu - Debian - Applications - Network - Monitoring - FIRESTARTER > > This part is missing > > Monitoring - FIRESTARTER someone mentioned installing the application call menu: sudo aptitude install menu then run update-menus if firestarter is installed, then it will show up in the menus. Mine was already there, don't know why. -- Paul Cartwright Registered Linux user # 367800 Registered Ubuntu User #12459 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Firestarter
Paul Cartwright wrote: On Sat December 1 2007, Darko wrote: try going to the start menu-Debian-applications-network-monitoring-firestarter I got your same error when I try it from a konsole, but it works from the menu But where from the menu i can't find it on my kde if i try from /usr/sbin/ then it tells me that I have mut be a root I just showed you the menu: Kmenu - Debian - Applications - Network - Monitoring - FIRESTARTER This part is missing Monitoring - FIRESTARTER -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Firestarter
Darko wrote: snip But where from the menu i can't find it on my kde Install the package 'menu', then after any apt update/upgrade, type 'update-menus' while still at the command line and firestarter is one of the many packages that conform to that requirement. if i try from /usr/sbin/ then it tells me that I have mut be a root Of course it does. It will from the menu also. What's the point in having a firewall that any user can configure? Regards, David. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Firestarter
On Sat December 1 2007, Darko wrote: > > try going to the start > > menu-Debian-applications-network-monitoring-firestarter > > > > I got your same error when I try it from a konsole, but it works from the > > menu > > But where from the menu i can't find it on my kde if i try from > /usr/sbin/ then it tells me that I have mut be a root I just showed you the menu: Kmenu - Debian - Applications - Network - Monitoring - FIRESTARTER -- Paul Cartwright Registered Linux user # 367800 Registered Ubuntu User #12459
Re: Firestarter
Paul Cartwright wrote: On Sat December 1 2007, Darko wrote: You normally don't need --reinstall, that causes the package to be fully removed before reinstallation. I did and i cant start it from default user and after su it says: (firestarter:) gtk warning canot open display try going to the start menu-Debian-applications-network-monitoring-firestarter I got your same error when I try it from a konsole, but it works from the menu But where from the menu i can't find it on my kde if i try from /usr/sbin/ then it tells me that I have mut be a root -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Firestarter
On Sat, Dec 01, 2007 at 10:37:15 +, Darko wrote: > Patter wrote: > >> On Fri, 30 Nov 2007 15:50:11 +0100, Michael Pobega wrote: >> >>> On Fri, Nov 30, 2007 at 08:30:46AM +, Darko wrote: >>> >>>> I deinstaled gnome and now I can't start firestarter is exsist a way to >>>> run it under KDE >>>> >>>> >>>> >>> apt-get install --reinstall firestarter >>> >> >> You normally don't need --reinstall, that causes the package to be fully >> removed before reinstallation. >> >> > I did and i cant start it from default user and after su it says: > (firestarter:) gtk warning canot open display apt-cache show sux (You need to transfer your default user's X credentials to root; "sux" does that automatically for you.) -- Regards,| http://users.icfo.es/Florian.Kulzer Florian | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Firestarter
On Sat December 1 2007, Darko wrote: > > You normally don't need --reinstall, that causes the package to be fully > > removed before reinstallation. > > > > > > I did and i cant start it from default user and after su it says: > (firestarter:) gtk warning canot open display try going to the start menu-Debian-applications-network-monitoring-firestarter I got your same error when I try it from a konsole, but it works from the menu -- Paul Cartwright Registered Linux user # 367800 Registered Ubuntu User #12459
Re: Firestarter
Patter wrote: On Fri, 30 Nov 2007 15:50:11 +0100, Michael Pobega wrote: On Fri, Nov 30, 2007 at 08:30:46AM +, Darko wrote: I deinstaled gnome and now I can't start firestarter is exsist a way to run it under KDE apt-get install --reinstall firestarter You normally don't need --reinstall, that causes the package to be fully removed before reinstallation. I did and i cant start it from default user and after su it says: (firestarter:) gtk warning canot open display -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Firestarter
On Fri, 30 Nov 2007 15:50:11 +0100, Michael Pobega wrote: > > On Fri, Nov 30, 2007 at 08:30:46AM +, Darko wrote: >> I deinstaled gnome and now I can't start firestarter is exsist a way to >> run it under KDE >> >> > > apt-get install --reinstall firestarter You normally don't need --reinstall, that causes the package to be fully removed before reinstallation. -- Stephen Patterson :: [EMAIL PROTECTED] :: http://patter.mine.nu/ GPG: B416F0DE :: Jabber: [EMAIL PROTECTED] "Don't be silly, Minnie. Who'd be walking round these cliffs with a gas oven?" -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Firestarter
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Fri, Nov 30, 2007 at 08:30:46AM +, Darko wrote: > I deinstaled gnome and now I can't start firestarter is exsist a way to > run it under KDE > > apt-get install --reinstall firestarter - -- If programmers deserve to be rewarded for creating innovative programs, by the same token they deserve to be punished if they restrict the use of these programs. - Richard Stallman -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFHUCI5g6qL2BGnx4QRAqS6AJ40+i0fii8/OHbBldlJBRcQPXVv3ACcDN2J 3lxSKPoMCcOeSSH4ffyqN7M= =rDnu -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Firestarter
Darko wrote: I deinstaled gnome and now I can't start firestarter is exsist a way to run it under KDE Just reinstall it. It should drag in all the libs necessary to run it without having to run a full Gnome install. I don't have a full Gnome desktop, I simply don't need it. I just install what I need, and along with X and a small window manager like fluxbox, it's all I need. Regards, David. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Firestarter
I deinstaled gnome and now I can't start firestarter is exsist a way to run it under KDE -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Firestarter VS Shorewall
On Sun, 4 Mar 2007 19:50:17 -0500 [EMAIL PROTECTED] wrote: > On Sat, Mar 03, 2007 at 11:19:02PM +0200, Andrei Popescu wrote: > > > > 70MB is *huge* amount of data to install *only* to have a gui. IMHO > > firestarter is only useful if you already have X installed, though > > this is a bad idea on a server. > > You could run X on another system. People tend to forget that X is a > networked protocol. But you still need parts of X installed on the server, err, client in X speak. Regards, Andrei -- If you can't explain it simply, you don't understand it well enough. (Albert Einstein) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
separating x client from x server (was: Firestarter VS Shorewall)
On Mon, Mar 05, 2007 at 02:51:48AM +0100, Andreas Duffner wrote: > [EMAIL PROTECTED] wrote: > >You could run X on another system. People tend to forget that X is a > >networked protocol. > > mmm. I am not sure we are talking about the same thing. > If yes.. then I'd like to learn how to do it the other way. > > But to be sure I will tell how I see it. If you still think otherways, > please point me to some docu. Or at least say so. That would be cool. > > > What I think, how it is (not sure though) > To export the display of a program you need > a running X-Server at the computer where the display will > point to. Right, > And where the program runs, You don't need an X server where the program runs. The X server is the thing that provides the display. > you need some X-files > (no, not the ones with the small grey things from ufos), > some stuff from X, too. > > That is the reason why I talk about ca. 70 MB. > FireStarter is small. But to start the gui, the > system wants some other files. > At least, I thought so until now. > > When I say "apt-get install firestarter" it will > get firestart + needed files. > And if I have no X related files there, it starts to > download lots of them. > > Do I understand you right, that I do not have to > download these X-files, if I intend to export the display > to another computer ? > > That would be really nice. That's right. The program you're running *is* the X client, and it needs an X server to display its stuff on. Usually it uses the DISPLAY environment variable to find it. I used to do this all the time in my full-time job circa 1990. I had my program, the window manager, and the display all running on different machines. However, since then people have become much more paranoid about security, and now there a hoops you have to jump through to break down the security barriers to get this to work. Can anyone enlighten me about the details of doing this on a closed LAN where there are no particular security problems? One way that is apparently compatible with today's paranoia appears to be to use an option on ssh (I believe it's ssh -X) to get ssh to carry the X protocol. I'm not sure of the details, except that it appears to require configuration on both the client and server side. -- hendrik -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Firestarter VS Shorewall
Andreas writes: > Do I understand you right, that I do not have to download these X-files, > if I intend to export the display to another computer ? You need some libraries but no X-server. Firestarter 1.0.3-1.3 dependencies: libart-2.0-2 (>= 2.3.16), libatk1.0-0 (>= 1.12.2), libaudiofile0 (>= 0.2.3-4), libavahi-client3 (>= 0.6.13), libavahi-common3 (>= 0.6.10), libavahi-glib1 (>= 0.6.12), libbonobo2-0 (>= 2.13.0), libbonoboui2-0 (>= 2.5.4), libc6 (>= 2.3.6-6), libcairo2 (>= 1.2.4), libdbus-1-3, libesd0 (>= 0.2.35) | libesd-alsa0 (>= 0.2.35), libfontconfig1 (>= 2.3.0), libfreetype6 (>= 2.2), libgconf2-4 (>= 2.13.5), libgcrypt11 (>= 1.2.2), libglade2-0 (>=1:2.5.1), libglib2.0-0 (>= 2.10.0), libgnome-keyring0 (>= 0.4.3), libgnome2-0 (>= 2.14.1), libgnomecanvas2-0 (>= 2.11.1), libgnomeui-0 (>= 2.13.0), libgnomevfs2-0 (>= 2.13.92), libgnutls13 (>= 1.4.0-0), libgpg-error0 (>= 1.2), libgtk2.0-0 (>= 2.8.0), libice6 (>= 1:1.0.0), libjpeg62, liborbit2 (>= 1:2.10.0), libpango1.0-0 (>= 1.12.3), libpng12-0 (>= 1.2.8rel), libpopt0 (>= 1.10), libsm6, libtasn1-3 (>= 0.3.4), libx11-6, libxcursor1 (>> 1.1.2), libxext6, libxfixes3, libxi6, libxinerama1, libxml2 (>= 2.6.26), libxrandr2, libxrender1, zlib1g (>= 1:1.2.1), gconf2 (>= 2.10.1-2), iptables (>= 1.2.11), gksu (>= 0.8.5) All that to edit a few text files? Amazing. -- John Hasler -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Firestarter VS Shorewall
On Mon, Mar 05, 2007 at 02:51:48AM +0100, Andreas Duffner wrote: > > Do I understand you right, that I do not have to > download these X-files, if I intend to export the display > to another computer ? > > That would be really nice. > You need the xbase-clients package at a very minimum. You ssh in to the machine using the -X commandline option (or the "ForwardX11 Yes" option in your client configuration) and then run the application, it should simply display back to your local workstation. Regards, -Roberto -- Roberto C. Sanchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature
Re: Firestarter VS Shorewall
[EMAIL PROTECTED] wrote: You could run X on another system. People tend to forget that X is a networked protocol. mmm. I am not sure we are talking about the same thing. If yes.. then I'd like to learn how to do it the other way. But to be sure I will tell how I see it. If you still think otherways, please point me to some docu. Or at least say so. That would be cool. What I think, how it is (not sure though) To export the display of a program you need a running X-Server at the computer where the display will point to. And where the program runs, you need some X-files (no, not the ones with the small grey things from ufos), some stuff from X, too. That is the reason why I talk about ca. 70 MB. FireStarter is small. But to start the gui, the system wants some other files. At least, I thought so until now. When I say "apt-get install firestarter" it will get firestart + needed files. And if I have no X related files there, it starts to download lots of them. Do I understand you right, that I do not have to download these X-files, if I intend to export the display to another computer ? That would be really nice. Cu, Andreas -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Firestarter VS Shorewall
On Sat, Mar 03, 2007 at 11:19:02PM +0200, Andrei Popescu wrote: > > 70MB is *huge* amount of data to install *only* to have a gui. IMHO > firestarter is only useful if you already have X installed, though this > is a bad idea on a server. You could run X on another system. People tend to forget that X is a networked protocol. -- hendrik -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Firestarter VS Shorewall
Andrei Popescu wrote: Andrei Popescu wrote: I use ssh with X11 forwarding to manage the firewall. With firestarter? How? [snip X11 forwarding stuff] If *that* isn't shooting a fly with a canon, than I don't know what is. [snip rant against console users] You *really* do not read what others write ? Just *read* it. I do *not* rant against console users. I *do* use the console. Is it to complicated for you to understand, that someone DOES use the console but DOES also use the gui if the gui is easier in *his* opinion. And please no senseless comments about how easy this or that is. If something is easier for me, then it *is* easier for me. Please do not lie about my messages. I DO NOT RANT AGAINST CONSOLE USERS ! Ok ? got it ? Really ? if not.. read it again. and again and again. I really have to say that my last message was not really to discuss something. You just wrote silly stuff. If I write how to use a gui program via ssh and you write about "shooting with canon", then you did not get it. It is supposed to be used that way. Why do you think is the gui behaving that way ? Why do X-Servers exist ? Why not do it the windows way ? Do you ever *think* ? "IMHO firestarter is only useful if you already have X installed" Ok. So you have a desktop without X ? Or what ? Do you really try to tell me that any admin will admin his servers from a pc without a desktop ? Are you ... .. No. I will not use such words. But really. I dont think you are worth to talk to. I will now start looking if my programm can filter users. If this is a multi-purpose machine which already runs X for some reason then no problem, but having X installed on the firewall/router just for configuration purposes is bad security practice. That is nonsense. Did you understand what I told about ssh ? Do you want to tell me, that ssh is unsecure ? Ok. it is late at night. But I *really* need a filter for your messages... Hopefully I will not ever read anything about you. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Firestarter VS Shorewall
On Sun, 04 Mar 2007 17:09:10 +0100 Andreas Duffner <[EMAIL PROTECTED]> wrote: > Andrei Popescu wrote: > >>>> I use ssh with X11 forwarding to manage the firewall. > >>> With firestarter? How? > > > > [snip X11 forwarding stuff] > > > > If *that* isn't shooting a fly with a canon, than I don't know what > > is. [snip rant against console users] Please read my other mail carefully: "IMHO firestarter is only useful if you already have X installed" If this is a multi-purpose machine which already runs X for some reason then no problem, but having X installed on the firewall/router just for configuration purposes is bad security practice. If you want to do this on your system, you are free to do so, but *please* don't recommend it to others. Regards, Andrei -- If you can't explain it simply, you don't understand it well enough. (Albert Einstein) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Firestarter VS Shorewall
Andrei Popescu wrote: I use ssh with X11 forwarding to manage the firewall. With firestarter? How? [snip X11 forwarding stuff] If *that* isn't shooting a fly with a canon, than I don't know what is. Mmm. So why do you use shorewall at all ? It is like using a pistol against an unarmed invader. *WHAT* is the point of your message ? I dont tell you how to do things. I like it that way. I do it that way. If you dont like it... I DO *NOT* CARE ! Ok. You can edit files with the text editor. Fine. Nice. COL. I want my work done. We all know, that it is possible to configure a firewall with an texteditor. You may use vi. Or even a line based. Who cares ? If you like it, do it. I have to say that you are perhaps on the wrong operating system, if you want to do it the way, it was done by your grandfather. Linux is an operating system which is getting easier to use every day. So if someone does it the easy way, what is the point of patronizing messages ? The good thing about linux is, that is is possible to do it with the commandline *and* and (more and more) with the gui. But trying to show off with telling "I am using the commandline" is just not working, because it means, you don't understand the concept. It is not *better*. Please stop writing such mails. We all know what kind of people do that. . -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Firestarter VS Shorewall
On Sun, 04 Mar 2007 02:03:51 +0100 Andreas Duffner <[EMAIL PROTECTED]> wrote: > >> I use ssh with X11 forwarding to manage the firewall. > > > > With firestarter? How? [snip X11 forwarding stuff] If *that* isn't shooting a fly with a canon, than I don't know what is. With shorewall I just open a normal ssh session, change some config file with very decent syntax/explanations/examples. This works even over a slow link or with machines where disk space is very limited. Regards, Andrei -- If you can't explain it simply, you don't understand it well enough. (Albert Einstein) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Firestarter VS Shorewall
On 1 Mar 2007 08:41:10 -0800, Jordi <[EMAIL PROTECTED]> wrote: Hello I saw two good firewalls: - Firestarter wich is easy - Shorewall wich seems versatile Wich is best for a single server pc? Does the complexity of shorewall worth the effort or is firestarter as good as shorewall? ShoreWall is great, if you want a non-gui but also easy way to configure a simple firewall based on Iptables try this one. http://linux.go2linux.org/node/3 regards. -- Guillermo Garron "Linux IS user friendly... It's just selective about who its friends are." (Using FC6, CentOS4.4 and Ubuntu 6.06) http://feeds.feedburner.com/go2linux http://www.go2linux.org -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Firestarter VS Shorewall
Andreas Duffner writes: > WebInterface... So you have a Web server running on your firewall. Not good. > ...so you do not *have* to install some software. You wouldn't have to install software to use ssh. > [QOS] would be really cool. I'd like to have it. Linux already has it. -- John Hasler -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Firestarter VS Shorewall
I use ssh with X11 forwarding to manage the firewall. With firestarter? How? On my side in /etc/ssh/ssh_config (that is for the client) ForwardX11 yes that way you dont have to say ssh -X bla bla on the other side in /etc/ssh/sshd_config (that is for the server) X11Forwarding yes Then I allow via firestarter on the server incoming connections on "the" ssh port. Whatever that is for you. Normally 22. That is is. No other incoming or outgoing ports are needed on the server for the firestarter gui to work that way. Hope it works. *crosses fingers* Andreas -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Firestarter VS Shorewall
Jordi wrote: Anyway, please give me opinions about the router by SMC Networks: 7904WBRA2 http://www.smc.com/index.cfm?event=viewProduct&localeCode=EN_USA&pid=1588 First I have no wide knowledge of routers. I only know some. But I can tell you what I think while reading the data sheet. Perhaps it helps, perhpas it is a 2nd sheet. Spell it the other way. 4 Lan ports should be enough, or do you know otherwise. For example for me are 4 ports to few. But I can't buy another... WebInterface, so you do not *have* to install some software. That "Quality-of-Service gives priority to real-time, delay sensitive applications like Voice-over-IP and video-on-demand to improve the user experience." sounds to me like: give some type of connection prority. That would be really cool. I'd like to have it. I do not know if I understand it correct. WPA for wireless is good, because WEP has been broken. DHCP server and NAT are a must have. UPNP is bad. For me. So it should be possible to disable it. (it allows any application on the inside to open ports on the router) In the requirements are browsers from different OSes listed. That is good. So you are not left with a router which *needs* IE. Some things are ok. A lot of things mean nothing to me. I'd *like* to have that think to try the unknown things out. :-) Cu, A. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Firestarter VS Shorewall
On Sat, 03 Mar 2007 14:25:12 +0100 Andreas Duffner <[EMAIL PROTECTED]> wrote: > So I just want a working firewall. > And firestarter does this job. > I do not know about complex setups with multiple servers. > I am just using one server, client etc at the time. > The firewall shall protect one computer at a time. > And so I use firestarter everywhere. > I use ssh with X11 forwarding to manage the firewall. With firestarter? How? > If I have a pure debian server without gui, it takes > ca. 70 MB extra space to install firestarter + gui bla bla. > Then I can use the firestarter gui to setup. 70MB is *huge* amount of data to install *only* to have a gui. IMHO firestarter is only useful if you already have X installed, though this is a bad idea on a server. > But I do not know, if shorewall is better or worse. Shorewall is very easy to setup. Please see: http://newbiedoc.berlios.de/wiki/Firewall_with_masquerading Regards, Andrei -- If you can't explain it simply, you don't understand it well enough. (Albert Einstein) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Firestarter VS Shorewall
Thanks Andreas. I agree with most that you said, as I am very pragmatic on my needs. I think I will buy the router I said, wich looks a very strong router from security point of view, and plus install firestarter and some other utility if I need. And things sometimes are not so complex. For example, in Xubuntu you can install all in graphical mode, start the server through Terminal, and then, if you want to save more resources, it can be done through an option. So you exit the graphical environment and the server continues working, with all resources avaliable. To return to graphical GUI, just another command. So no need to masochism typing dozens of comands to do what you can graphicaly, at least when you have your pc at hand like me. Yes I know most people may say this is not profesional, and I am missing learning lots of shell comands, but I know enough, and I already have to have so many things in mind, so this would be a RESOURCE LEAK for my brain hahahaha!! Anyway, please give me opinions about the router by SMC Networks: 7904WBRA2 http://www.smc.com/index.cfm?event=viewProduct&localeCode=EN_USA&pid=1588 Thanks Jordi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Firestarter VS Shorewall
Peter writes: > Or, if you like ease of use (great web based GUI)... I do not want a Web server running on my router. -- John Hasler -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Firestarter VS Shorewall
On 3-mrt-2007, at 14:52, John Hasler wrote: Jordi writes: To have a good hardware firewall buy a good router-switch or a specific hardware device. To have a good hardware firewall buy a cheap used pc, install Linux on it, and configure it as a router and firewall. -- Or, if you like ease of use (great web based GUI) combined with powerfull functions out of the box, commit adultery and install m0n0wall (based on freebsd). Keeps me happy. I use an old pII with 64MB and 3 3com fast ethernet cards, wan up & download and heavy traffic between lan & DMZ runs flawless with the processor never getting above 30%. Peter -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Firestarter VS Shorewall
Jordi writes: > To have a good hardware firewall buy a good router-switch or a specific > hardware device. To have a good hardware firewall buy a cheap used pc, install Linux on it, and configure it as a router and firewall. -- John Hasler -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Firestarter VS Shorewall
On Sat, Mar 03, 2007 at 08:08:36AM +, David Hart wrote: > > If you need to manage a half-dozen zones the chances are that you'll > be doing packet filtering on specialized hardware so shorewall will > be of no use. > Well, chances are you don't know what you are talking about. Please go look at some of the shorewall mailing list archives. People implement some very complex configurations with shorewall. Besides, shorewall also allows you to do some neat things like have a layer-2 bridge that also does layer-3 filtering very easily. Doing layer-3 filtering in a layer-2 device is technically a violation of the network model, but is very handy nonetheless. Regards, -Roberto -- Roberto C. Sanchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature
Re: Firestarter VS Shorewall
Jordi wrote: I saw two good firewalls: - Firestarter wich is easy - Shorewall wich seems versatile Wich is best for a single server pc? Does the complexity of shorewall worth the effort or is firestarter as good as shorewall? I can only tell about firestarter. Perhaps it helps a bit. First, about the "understanding what is happening"-argument: I do not want to know about the lowest level of my firewall. I do not programm in assembler, I use C++ or C#. With an assembler I would have "a better understand what is happening". I do not need it. I want a solution. I do not write my own operating system out of the same reason. So I just want a working firewall. And firestarter does this job. I do not know about complex setups with multiple servers. I am just using one server, client etc at the time. The firewall shall protect one computer at a time. And so I use firestarter everywhere. I use ssh with X11 forwarding to manage the firewall. If I have a pure debian server without gui, it takes ca. 70 MB extra space to install firestarter + gui bla bla. Then I can use the firestarter gui to setup. It shows the active connections it it has a mode, where it stops all outgoing connections per default (this has to be activated: one click) etc Before you use this option, you should enable ssh :-) It is just great. But I do not know, if shorewall is better or worse. Cu, Andreas -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Firestarter VS Shorewall
Thanks for the links I asked in the Ubuntu forum too and they say me that it may be unnecessary to combine hardware firewall and software firewall (iptables or any other that uses it). But they said I can do, if I am paranoid. And as you said, the correct place to stop an intruder is BEFORE they cross the router. As has been said in all these conversations here in Debian and Ubuntu, we could resume: - A hardware firewall is better than a software firewall. - You can convine software and hardware firewall. - But if you do that, you won't get a fantastic improvement on security. - All software firewalls use iptables, but some allow extra features. - To have a good hardware firewall buy a good router-switch or a specific hardware device. If something is wrong please correct me. In order to find a good router with firewall I saw this in the pc shop: http://www.smc.com/index.cfm?event=viewProduct&localeCode=EN_USA&pid=1588 It is the 7904WBRA2 of the company named SMC Networks. The text says this: - The SMC7904WBRA2 combines an ADSL2/2+ modem, router, 4-port 10/100 LAN switch, 802.11g wireless access point & robust SPI firewall making it the complete solution for securely connecting & sharing your high speed ADSL connection, wired or wirelessly. It gives you instant always on internet connectivity with download speeds up to 24Mbps - ideal for streaming multimedia content to the home. The EZ Installation Wizard with on-screen help configures your ADSL connection & wireless network in 5 easy to follow steps. Quality-of- Service gives priority to real-time, delay sensitive applications like Voice-over-IP and video-on-demand to improve the user experience. The NAT firewall with Stateful Packet Inspection (SPI), Intrusion Detection System (IDS) & Denial-of-Service (DoS) provides robust security from hackers. VPN pass-through is also provided for securely connecting to your office or corporate network. - It seems it has good protection: hardware firewall, IDS and protection against DoS. It is thought both for personal and corporate use. Seems good. Should I buy this router-modem-switch ? So long, Jordi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Firestarter VS Shorewall
On Sat, Mar 03, 2007 at 08:08:36AM +, David Hart wrote: > On Thu 2007-03-01 16:05:32 -0500 Roberto C. Sanchez wrote: > > On Thu, Mar 01, 2007 at 09:45:41PM +0100, Franck Joncourt wrote: > > > On Thu, Mar 01, 2007 at 11:56:41AM -0800, Jordi wrote: > > > > > > > > John, that seems to complicated for me, but seems good as it is a > > > > hardware firewall. > > > > Roverto, seems you like to do a control of all parameters, you must be > > > > an expert. I will try to do as you say, and learn a bit. > > > > > > Want to set up a firewall ; it is better to know what you do :)! > > > I started using iptables first, and now it is quite difficult to change, > > > even to try other stuff. So if you want to learn more, take a look at the > > > iptables tutorial. However, I should admit it is time consuming. > > > > Right, like when you want a firewall to manage a half-dozen different > > zones on your network, which is connected to several different ISPs, > > while performing traffic shaping functions? > > If you need to manage a half-dozen zones the chances are that you'll > be doing packet filtering on specialized hardware so shorewall will > be of no use. > I have never said using iptables was the best solution, however, I think the understanding of netfilter/iptables might help. It is up to everyone to choose whether they want to get a better understanding of what they are doing, or not. He may not need to bother with all that. Anyway, iptables, fwbuilder, shorewall and ohters have their own advantages and drawbacks. > > > Having this in mind, do you know a good and simple solution? I will > > have much time to learn for future, it is just to have a start point. > > I recommend > http://www.netfilter.org/documentation/HOWTO//packet-filtering-HOWTO.html > written by Rusty Russell, the initial author and one of the current main > developers of iptables/netfilter. > > He shows a simple six line firewall script at > http://www.netfilter.org/documentation/HOWTO//packet-filtering-HOWTO-5.html. Here is the link I use where you can get pretty useful information (for the future maybe 8)! ), as well : - protocol description - connection tracking - iptables itself http://iptables-tutorial.frozentux.net/iptables-tutorial.html There are some examples too. -- Franck Joncourt http://www.debian.org http://smhteam.info/wiki/ GPG server : pgpkeys.mit.edu Fingerprint : C10E D1D0 EF70 0A2A CACF 9A3C C490 534E 75C0 89FE signature.asc Description: Digital signature
Re: Firestarter VS Shorewall
On Thu 2007-03-01 16:05:32 -0500 Roberto C. Sanchez wrote: > On Thu, Mar 01, 2007 at 09:45:41PM +0100, Franck Joncourt wrote: > > On Thu, Mar 01, 2007 at 11:56:41AM -0800, Jordi wrote: > > > > > > John, that seems to complicated for me, but seems good as it is a > > > hardware firewall. > > > Roverto, seems you like to do a control of all parameters, you must be > > > an expert. I will try to do as you say, and learn a bit. > > > > Want to set up a firewall ; it is better to know what you do :)! > > I started using iptables first, and now it is quite difficult to change, > > even to try other stuff. So if you want to learn more, take a look at the > > iptables tutorial. However, I should admit it is time consuming. > > Right, like when you want a firewall to manage a half-dozen different > zones on your network, which is connected to several different ISPs, > while performing traffic shaping functions? If you need to manage a half-dozen zones the chances are that you'll be doing packet filtering on specialized hardware so shorewall will be of no use. On Fri 2007-03-02 04:31:18 -0800 Jordi wrote: > I wonder if shorewall is for me like using a cannon to kill a flea. It probably is. > Having this in mind, do you know a good and simple solution? I will > have much time to learn for future, it is just to have a start point. I recommend http://www.netfilter.org/documentation/HOWTO//packet-filtering-HOWTO.html written by Rusty Russell, the initial author and one of the current main developers of iptables/netfilter. He shows a simple six line firewall script at http://www.netfilter.org/documentation/HOWTO//packet-filtering-HOWTO-5.html. -- David Hart <[EMAIL PROTECTED]> -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Firestarter VS Shorewall
On Thu, Mar 01, 2007 at 09:25:33PM +0100, Joe Hart wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Juergen Fiedler wrote: > > On Thu, Mar 01, 2007 at 08:41:10AM -0800, Jordi wrote: > >> Hello > >> > >> I saw two good firewalls: > >> - Firestarter wich is easy > >> - Shorewall wich seems versatile > >> > >> Wich is best for a single server pc? Does the complexity of shorewall > >> worth the effort or is firestarter as good as shorewall? > > > > The fact that Firestarter has a GUI tipped the scales for me - towards > > Shorewall. While it may be nice to do the initial setup in a GUI, > > being able to make modifications from anywhere over SSH has proven > > valuable enough to justify the initial learning curve. And once you > > 'got it', Shorewall isn't actually that hard to work with. > > > > Just my 2 cents > > --j > > Firestarter and Shorewall are both just front-ends to iptables, but > firestarter is simple (and has far less features than shorewall). > > Shorewall does appear complicated, but in fact, the examples only need > minor editing for use. > > You could just use iptables directly, but _that_ is complicated. I've never had any problem using iptables directly -- except when I upgraded from woody to sarge -- suddenly there was a firewall of sorts introduced by default and I couln't get anything to work until I tracked it down in /etc and removed it. -- hendrik -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Firestarter VS Shorewall
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jordi wrote: > Oh yes, > > I will take all that is said in exam, and learn all to some degree. > But I have so much work on Java, php, and virtual reality modelling > languages, plus build the site, so I think I better build a simple > server, as strong as I can. But can't spend months or years learning, > I need to start developing just now. > > So if you know some tool that may be useful for a server like mine, > that consist in just one machine, running a Debian based OS > (Xubuntu), with a router with hardware firewall, please tell me. For > many months, maybe years, there will be no more servers nor dsl lines, > just 1 with 1 static ip. > So I just want software for THIS situation. In next months or years, I > will learn by the way, as I grow. > But just wanted to know a good solution for this little server: 1 dsl > line, 1 ip, 1 machine. No more. > And better: I can use this server directly, with the keyboard, as I > access to it with a KVM Switch. So don't need to manipulate it through > ssh or nothing for now. > I wonder if shorewall is for me like using a cannon to kill a flea. > > Having this in mind, do you know a good and simple solution? I will > have much time to learn for future, it is just to have a start point. > > Thanks for replying > > Jordi > > Jordi, If it's just one box and you're not running any internet services on it, then you don't really need a firewall. You can always test how good your machine is protected by using one of the security scanners on the web such as : http://www.auditmypc.com/ there are many more. Joe -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFF6CzFiXBCVWpc5J4RAjAhAJ9z8BdImEkrNW2GTMCuL6LlQtjz7wCePKaL FMRICaTpwybVwImWPjOUWQo= =iHT3 -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Firestarter VS Shorewall
Oh yes, I will take all that is said in exam, and learn all to some degree. But I have so much work on Java, php, and virtual reality modelling languages, plus build the site, so I think I better build a simple server, as strong as I can. But can't spend months or years learning, I need to start developing just now. So if you know some tool that may be useful for a server like mine, that consist in just one machine, running a Debian based OS (Xubuntu), with a router with hardware firewall, please tell me. For many months, maybe years, there will be no more servers nor dsl lines, just 1 with 1 static ip. So I just want software for THIS situation. In next months or years, I will learn by the way, as I grow. But just wanted to know a good solution for this little server: 1 dsl line, 1 ip, 1 machine. No more. And better: I can use this server directly, with the keyboard, as I access to it with a KVM Switch. So don't need to manipulate it through ssh or nothing for now. I wonder if shorewall is for me like using a cannon to kill a flea. Having this in mind, do you know a good and simple solution? I will have much time to learn for future, it is just to have a start point. Thanks for replying Jordi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Firestarter VS Shorewall
On Thu, Mar 01, 2007 at 09:45:41PM +0100, Franck Joncourt wrote: > On Thu, Mar 01, 2007 at 11:56:41AM -0800, Jordi wrote: > > I take note, John and Roberto. > > > > John, that seems to complicated for me, but seems good as it is a > > hardware firewall. > > Roverto, seems you like to do a control of all parameters, you must be > > an expert. I will try to do as you say, and learn a bit. > > > > Want to set up a firewall ; it is better to know what you do :)! > I started using iptables first, and now it is quite difficult to change, > even to try other stuff. So if you want to learn more, take a look at the > iptables tutorial. However, I should admit it is time consuming. > Right, like when you want a firewall to manage a half-dozen different zones on your network, which is connected to several different ISPs, while performing traffic shaping functions? Regards, -Roberto -- Roberto C. Sanchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature
Re: Firestarter VS Shorewall
On Thu, Mar 01, 2007 at 11:56:41AM -0800, Jordi wrote: > I take note, John and Roberto. > > John, that seems to complicated for me, but seems good as it is a > hardware firewall. > Roverto, seems you like to do a control of all parameters, you must be > an expert. I will try to do as you say, and learn a bit. > Want to set up a firewall ; it is better to know what you do :)! I started using iptables first, and now it is quite difficult to change, even to try other stuff. So if you want to learn more, take a look at the iptables tutorial. However, I should admit it is time consuming. http://iptables-tutorial.frozentux.net/iptables-tutorial.html -- Franck Joncourt http://www.debian.org http://smhteam.info/wiki/ GPG server : pgpkeys.mit.edu Fingerprint : C10E D1D0 EF70 0A2A CACF 9A3C C490 534E 75C0 89FE -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Firestarter VS Shorewall
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Juergen Fiedler wrote: > On Thu, Mar 01, 2007 at 08:41:10AM -0800, Jordi wrote: >> Hello >> >> I saw two good firewalls: >> - Firestarter wich is easy >> - Shorewall wich seems versatile >> >> Wich is best for a single server pc? Does the complexity of shorewall >> worth the effort or is firestarter as good as shorewall? > > The fact that Firestarter has a GUI tipped the scales for me - towards > Shorewall. While it may be nice to do the initial setup in a GUI, > being able to make modifications from anywhere over SSH has proven > valuable enough to justify the initial learning curve. And once you > 'got it', Shorewall isn't actually that hard to work with. > > Just my 2 cents > --j Firestarter and Shorewall are both just front-ends to iptables, but firestarter is simple (and has far less features than shorewall). Shorewall does appear complicated, but in fact, the examples only need minor editing for use. You could just use iptables directly, but _that_ is complicated. Joe -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFF5za9iXBCVWpc5J4RApWdAJ9z54yiTo8BQ1Pcqebj+JGjnKQ11gCgrdDv q2GWiU2bItM4PTVFdVJL6qA= =9/Iu -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Firestarter VS Shorewall
I take note, John and Roberto. John, that seems to complicated for me, but seems good as it is a hardware firewall. Roverto, seems you like to do a control of all parameters, you must be an expert. I will try to do as you say, and learn a bit. Thanks for your opinions. Jordi On 1 mar, 19:50, "Roberto C. Sanchez" <[EMAIL PROTECTED]> wrote: > On Thu, Mar 01, 2007 at 09:50:02AM -0800, Jordi wrote: > > I saw that shorewall can have a GUI if I also install Webmin. > > > Is Webmin a good tool to install? has some kind of disavantage? Is it > > better to not use webmin? > > Personally, I don't like webmin as it insulates too much from you. If > you have many diverse machines to administer (e.g., some Solaris, mixed > with RedHat, mixed with Debian, mixed with BSD), then Webmin is probably > good, since it gives you a more "common" administrative interface. > Other than that, it will only prevent you from learning the inner > workings of your system. > > Regards, > > -Roberto > > -- > Roberto C. Sanchezhttp://people.connexer.com/~robertohttp://www.connexer.com > > signature.asc > 1 KDescargar -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Firestarter VS Shorewall
On Thu, Mar 01, 2007 at 09:50:02AM -0800, Jordi wrote: > I saw that shorewall can have a GUI if I also install Webmin. > > Is Webmin a good tool to install? has some kind of disavantage? Is it > better to not use webmin? > Personally, I don't like webmin as it insulates too much from you. If you have many diverse machines to administer (e.g., some Solaris, mixed with RedHat, mixed with Debian, mixed with BSD), then Webmin is probably good, since it gives you a more "common" administrative interface. Other than that, it will only prevent you from learning the inner workings of your system. Regards, -Roberto -- Roberto C. Sanchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature
Re: Firestarter VS Shorewall
Jordi> I saw two good firewalls: Jordi> - Firestarter wich is easy Jordi> - Shorewall wich seems versatile Just to be contrary, I like and use m0n0wall (http://www.m0n0.ch) at home in a WRAP board. Very nice, very quiet, plenty of performance. Nice web based interface, boots off compact flash, etc. John -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Firestarter VS Shorewall
On Thu, Mar 01, 2007 at 08:41:10AM -0800, Jordi wrote: > Hello > > I saw two good firewalls: > - Firestarter wich is easy > - Shorewall wich seems versatile > > Wich is best for a single server pc? Does the complexity of shorewall > worth the effort or is firestarter as good as shorewall? The fact that Firestarter has a GUI tipped the scales for me - towards Shorewall. While it may be nice to do the initial setup in a GUI, being able to make modifications from anywhere over SSH has proven valuable enough to justify the initial learning curve. And once you 'got it', Shorewall isn't actually that hard to work with. Just my 2 cents --j signature.asc Description: Digital signature
Re: Firestarter VS Shorewall
I saw that shorewall can have a GUI if I also install Webmin. Is Webmin a good tool to install? has some kind of disavantage? Is it better to not use webmin? Thanks Jordi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Firestarter VS Shorewall
Thanks Roberto I will do then the effort and try to install and use Shorewall. Jordi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Firestarter VS Shorewall
On Thu, Mar 01, 2007 at 08:41:10AM -0800, Jordi wrote: > Hello > > I saw two good firewalls: > - Firestarter wich is easy > - Shorewall wich seems versatile > > Wich is best for a single server pc? Does the complexity of shorewall > worth the effort or is firestarter as good as shorewall? > Personally, I think that the effort is worth it for shorewall for these reasons: 1. reading the documentation will give you a much better understanding for what is happening 2. shorewall scales very well to a great many different roles, so your simple one server firewall today might tomorrow be routing traffic for a small network with a DMZ and doing traffic shaping Regards, -Roberto -- Roberto C. Sanchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature
Firestarter VS Shorewall
Hello I saw two good firewalls: - Firestarter wich is easy - Shorewall wich seems versatile Wich is best for a single server pc? Does the complexity of shorewall worth the effort or is firestarter as good as shorewall? Just this Thanks Jordi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Firestarter bug?
Thanks to both Florian Kulzer and John Fleming. Both answers work. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Firestarter bug?
On Sun, Jul 23, 2006 at 21:09:14 -0500, Default User wrote: > Very strange. > > I installed Firestarter on Debian Stable (i386). It is picking up the > routine periodic dhcp send events from my router, and sending them to to > the tty consoles, where they overwrite part of the screen. These are > the same as what shows up in the Firestarter "events" screen. > > Note: this does not occur on the X terminals (i.e., xterm), so it was > not noticed until I did CTRL-ALT-F1 (or CTRL-ALT-F2, etc). > > I uninstalled Firestarter, and the behavior stopped. I reinstalled > Firestarter, and it started again. > > This makes it almost impossible to use the tty consoles. Is there a way > to stop Firestarter from writing to the tty consoles uninvited? You can either tell firestarter not to log these events anymore (probably a bad idea) or you can tell klogd to stop echoing low-level messages on the ttys. For the latter approach see for example here: http://lists.debian.org/debian-user/2006/07/msg00068.html If you are worried about missing messages after you change the setting then you can install the package "logcheck". It comes with a friendly daemon which will send you an email notification whenever something unusual is logged. -- Regards, Florian -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Firestarter bug?
- Original Message - From: "Default User" <[EMAIL PROTECTED]> To: Sent: Sunday, July 23, 2006 10:09 PM Subject: Firestarter bug? Very strange. I installed Firestarter on Debian Stable (i386). It is picking up the routine periodic dhcp send events from my router, and sending them to to the tty consoles, where they overwrite part of the screen. These are the same as what shows up in the Firestarter "events" screen. Note: this does not occur on the X terminals (i.e., xterm), so it was not noticed until I did CTRL-ALT-F1 (or CTRL-ALT-F2, etc). I uninstalled Firestarter, and the behavior stopped. I reinstalled Firestarter, and it started again. This makes it almost impossible to use the tty consoles. Is there a way to stop Firestarter from writing to the tty consoles uninvited? I have same behavior, and stopped it using dmesg -1 (See man dmesg) Maybe there's a better way, but this was perfect for my situation. - John -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Firestarter bug?
Very strange. I installed Firestarter on Debian Stable (i386). It is picking up the routine periodic dhcp send events from my router, and sending them to to the tty consoles, where they overwrite part of the screen. These are the same as what shows up in the Firestarter "events" screen. Note: this does not occur on the X terminals (i.e., xterm), so it was not noticed until I did CTRL-ALT-F1 (or CTRL-ALT-F2, etc). I uninstalled Firestarter, and the behavior stopped. I reinstalled Firestarter, and it started again. This makes it almost impossible to use the tty consoles. Is there a way to stop Firestarter from writing to the tty consoles uninvited? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Firestarter Blocks NetBIOS broadcasts on local LAN
This behavior occurs on boxes behind a router with only one interface. The problem is in the firestarter control script (/etc/firestarter/firestarter.sh) and fixed by fixing up the $BCAST variable after testing some other variables to make a best guess about whether or not the machine is behind a router. See bug #369638 at: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=369638 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Firestarter Blocks NetBIOS broadcasts on local LAN
With the default setting of "Block broadcasts from external network", machines on the local net (using SAMBA) never get NetBIOS broadcasts answered for the local network, so the other machines and even the Linux machine itself cannot find the Linux host. On Linux nmblookup fails to find itself. I've run Ethereal and it seen that the broadcasts are for an INTERNAL network, so it would seem that either the doc or the code is wrong. I've seen this problem reported before but there was no real fix to the problem, other than unchecking the blocks from external network, and that is dangerous. Please help, thanks. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Firestarter not starting
Thank you for your very helpful and informative response, Ken. As you can see from my cross posting, I have now worked most of it out. The upshot is that my firewall is and has been operating fine and it starts from ip-up. I have now got rid of the irritation of the error message on boot.. What I now realise I am after is just an applet that produces a reassuring icon in the system tray that shows the state of the firewall. I do not need the Firestarter GUI to be running if there is any other way of doing this. In the mean time, when I get round to it (it won't be for a week or so now) I will try to get the GUI running minimised as you suggest. I am a bit (not much) concerned about the compromise in security that is mentioned. John Talbut -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Firestarter not starting
Well, of course, Firestarter is not the firewall, iptables is. I do not see how to check whether iptables is running - maybe it runs all the time as much of it is in the kernel and running Firestarter merely updates the configuration. However, it can clearly be in a stopped condition. Anyway, as I wrote, the boot sequence ran /etc/init.d/firestarter. This in turn ran /etc/firestarter/firestarter.sh . This, I have discovered, bombed out at line 33 with External network device $IF is not ready. Aborting.. Apparently before it does much at all. So there does not seem to be any point in having it run on boot and I have removed it from the sequence using sysv-rc-conf . That gets rid of the failure message on start up and Firestarter starts as before using the GUI interface, which needs the root password to start it. It seems that there is a bug in the configuration that includes Firestarter in the boot sequence even though it is configured to start on dialup. Now, how to get the ifup script to start Firestarter automatically. John Talbut -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Firestarter not starting
On Mon, May 22, 2006 at 09:50:01PM +0100, John Talbut wrote: > Thanks for the further ideas, Ken. > > Firestarter certainly does not seem to be starting on bootup. Using ps > as root gives no entries for Firestarter after booting, whereas it does > once I get Firestarter to start. > That doesn't mean that the firewall isn't running. Firestarter is just a front-end for iptables as you probably already know. "Firestarter" will only show up in ps output if the firestarter gui is running. To see if it has configured iptables for you use iptables -L to list all the current chains. Maybe an example will help.. I have two user accounts on my machine - one for myself and one for my wife. Only for my own account do I have firestarter the gui set to start on login and only when I am logged in does firestarter show up in ps output. The firewall (iptables) is continuing to run when I log out though and this can be confirmed by logging in with my wife's account and running "iptables -L" in an xterm as root. It shows all the chains that firestarter configured iptables to run. If my dhcp lease expires and dhclient obtains a new IP from my cable provider then the exit hook runs "sh /etc/init.d/firestarter start" which reconfigures iptables to my new IP address. This is transparent though. Running "/etc/init.d/firestarter status" will also tell you if firestarter the firewall (firestarter service) is running. Put another way... /etc/init.d/firestarter runs the firewall /usr/sbin/firestarter runs the firestarter gui > The boot script /etc/init.d/firestarter is: > What I was interested in was the script that you said existed in /etc/ppp/ip-up.d You should get a failure notice at bootup since your ppp link is not up. I believe it can be safely ignored. What you need is a script in /etc/ppp/ip-up.d which reruns /etc/init.d/firestarter when you bring up your ppp link. This however will not get you the gui portion of firestarter or make firestarter show up in ps output but it does start the firewall itself. To get the gui firestarter program to come up /usr/sbin/firestarter has to be run with root privileges. When you type this in manually in a console you get the firestarter gui program to come up as it should. To avoid having to do that each time configure sudo and your gnome session manager according to the directions listed at http://www.fs-security.com/docs/faq.php#trayicon > Running /usr/sbin/firestarter as root does start Firestarter. As it should. Run it and make sure it is configured to "start/restart firewall on dialout". This is under Preferences>Firewall in the gui program. > starting at /etc/firestarter/firestarter.sh do not. No it won't if ppp0 isn't up yet. That's why the little script in /etc/ppp/ip-up.d is necessary. To test the whole thing out: 1) Bring up ppp0 using whatever dialer program you use in Gnome 2) In a terminal as root run "/etc/init.d/firestarter status" to see if the firewall service is running. You may need to wait a few seconds after your ppp link is established before you do this. If it is running you will get "Firestarter is running..." as your output. You will NOT see firestarter in ps output though at this point and will not have the firestarter gui either. If you get a message other than "Firestarter is running..." then the script in /etc/ppp/ip-up.d is not working or not installed yet. 3) In a terminal as root run "/usr/sbin/firestarter" to bring up the firestarter gui. Once the firestarter gui is running then firestarter will appear in ps output. Use the firestarter gui to configure firestarter to restart on dial-out but not to restart on program (gui) startup. These options can be found by clicking on the Preferences button, choosing "firewall" on the list on the left pane and ticking the appropriate boxes. If these options are not set correctly then Firestarter the firewall will not restart each time you dial-out. If all that works then all you need to do is configure sudo and the gnome session manager like I described above. That will automate you having the firestarter gui started on login minimized to the system tray. Again, I hope I'm not telling you things you already know/tried. The important point to take away is that Firestarter the gui program and the firestarter (iptables) firewall are two seperate entities. Only the gui shows up in ps output as firestarter. The gui is just a configuration and monitoring tool for the firestarter firewall (service) itself. -- Ken Wahl signature.asc Description: Digital signature