Re: [expert] Firewall questions
On Thursday 30 Oct 2003 12:21 pm, Bryan Phinney wrote: > > > The problem for me is that the hardware router does not allow > > GnomeMeeting to have a range of ports open (it uses h.323 > > tunneling), so I'm thinking that I will need, eventually, to set > > my box dmz and rely on the software one, suitably configured. I > > am quite prepared to make the switch to dmz for the duration of a > > session (it won't be too frequent), but I want the second layer > > in first. Consequently, I can use dmz to test the rules, going > > back behind the hardware f/w as necessary. > > What kind do you have? You should be able to open up an entire > range, as small or large as you want and configure GnomeMeeting to > simply confine to that range. I have a range open for passive ftp > and it appears to work fine. > SMC/7401BRA We chose that one, knowing nothing about routers, because at least the manufacturer put the manual on the website, and it looked reasonable. I've regretted it a bit, but that's hindsight. You can open around 10 ports, (total of tcp and udp), but no ranges. Anne -- Registered Linux User No.293302 Have you visited http://twiki.mdklinuxfaq.org yet? Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
RE: [expert] Firewall questions
>-Original Message- >From: Anne Wilson [mailto:[EMAIL PROTECTED] >Sent: Thursday, October 30, 2003 5:37 AM >To: [EMAIL PROTECTED] >Subject: [expert] Firewall questions > >Currently I rely on a hardware firewall, but I would like to add a >personal software firewall. I know that I will need a slice of time >to do sufficient reading to get the configuration right, so I thought >that I would browse using Webmin to see what I needed to know, >particularly since I don't want to affect the lan. > >Unfortunately, though logically, you can't do that until you have >installed iptables. I see, though, that it offers configuration for >Linux Firewall and Shorewall. If I install iptables and/or shorewall >do they come with completely hashed out configuration files, or am I >immediately committed to sorting it? > >Anne >-- If you're looking for ease of use, Shorewall should do. It can be quickly enabled in MCC>Security>DrakFirewall. It uses iptables as the underlying filter, but configuration is much more simple IMHO. Then again, if you have the time and ambition to learn iptables that's always a handy skill to have! __ Do you Yahoo!? Exclusive Video Premiere - Britney Spears http://launch.yahoo.com/promos/britneyspears/ Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] Firewall questions
On Thursday 30 October 2003 07:01 am, Anne Wilson wrote: > So installing iptables will have no 'built-in' rules? That's what I > want, so that I can build it up a little at a time. Yes, that is the way that I am running it, to supplement the hardware router because hardware routers are not really suitable for filtering as opposed to blocking. > The problem for me is that the hardware router does not allow > GnomeMeeting to have a range of ports open (it uses h.323 tunneling), > so I'm thinking that I will need, eventually, to set my box dmz and > rely on the software one, suitably configured. I am quite prepared > to make the switch to dmz for the duration of a session (it won't be > too frequent), but I want the second layer in first. Consequently, I > can use dmz to test the rules, going back behind the hardware f/w as > necessary. What kind do you have? You should be able to open up an entire range, as small or large as you want and configure GnomeMeeting to simply confine to that range. I have a range open for passive ftp and it appears to work fine. > My experience with using it to set up samba does not encourage me to > do it that way, but I thought that browsing the interface might give > me a better idea of the questions I need answering before actually > doing any configuration. As your rules get extended, Webmin will evenually break down and time out trying to display them all. At least, it does in my case, so I simply keep a bash script to issue the commands and periodically update and rerun the script to repopulate changes to my firewall. -- Bryan Phinney Software Test Engineer Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] Firewall questions
On Thursday 30 Oct 2003 11:03 am, J.C. Woods wrote: > > Just install iptables, and start "rolling your own" rules. There > are loads of sites that document how to. So installing iptables will have no 'built-in' rules? That's what I want, so that I can build it up a little at a time. > You could start off by > just replacing one rule at a time from your external router. For > example, let's say your hardware does not allow any ping responses. > So you write your first rule with iptables to disallow any ping > responses, and turn that feature off on the router, so on and so > forth until you feel good about your firewall rules, and have a > better understanding of what is going on. > The problem for me is that the hardware router does not allow GnomeMeeting to have a range of ports open (it uses h.323 tunneling), so I'm thinking that I will need, eventually, to set my box dmz and rely on the software one, suitably configured. I am quite prepared to make the switch to dmz for the duration of a session (it won't be too frequent), but I want the second layer in first. Consequently, I can use dmz to test the rules, going back behind the hardware f/w as necessary. > And you could do this a little at a time, as you learn new > rules > > Because I have always wrote my own rules, since the days of > ipchains, I do not know too much about Shorewall, and I would never > trust Webmin to handle a vital function like firewalls. Just my two > cents worth... > My experience with using it to set up samba does not encourage me to do it that way, but I thought that browsing the interface might give me a better idea of the questions I need answering before actually doing any configuration. Thanks for the input Anne -- Registered Linux User No.293302 Have you visited http://twiki.mdklinuxfaq.org yet? Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] Firewall questions
Anne Wilson wrote: Currently I rely on a hardware firewall, but I would like to add a personal software firewall. I know that I will need a slice of time to do sufficient reading to get the configuration right, so I thought that I would browse using Webmin to see what I needed to know, particularly since I don't want to affect the lan. Unfortunately, though logically, you can't do that until you have installed iptables. I see, though, that it offers configuration for Linux Firewall and Shorewall. If I install iptables and/or shorewall do they come with completely hashed out configuration files, or am I immediately committed to sorting it? Anne Just install iptables, and start "rolling your own" rules. There are loads of sites that document how to. You could start off by just replacing one rule at a time from your external router. For example, let's say your hardware does not allow any ping responses. So you write your first rule with iptables to disallow any ping responses, and turn that feature off on the router, so on and so forth until you feel good about your firewall rules, and have a better understanding of what is going on. And you could do this a little at a time, as you learn new rules Because I have always wrote my own rules, since the days of ipchains, I do not know too much about Shorewall, and I would never trust Webmin to handle a vital function like firewalls. Just my two cents worth... drjung -- J. Craig Woods UNIX Network/System Engineer http://www.trismegistus.net/resume.htm Let him that would move the world, first move himself. --Socrates Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com