Hi Florin, Here's a sitrep of my testing with the Alpha ISO of MNF. I've mostly just done the basics, and should have time to go into more depth in the next few weeks.
I refer to the web-based interface as NAAT. Installation Specifics --------------------- VMWare environment with 3 NICs (for LAN (eth1), DMZ (eth2), and WAN (eth0)) Settings During Install: * LAN card set to DHCP * DMZ card set to static IP address (192.168.144.2/24) * WAN card not set up (to be set up in NAAT) * Hostname set to mnf * Everything else using defaults Issues ----------------- * Had to stop Shorewall to access the initial MNF Admin web page, as the initial shorewall setup doesn't include a rule to allow access to port 8443 by default. The rule was added automatically after the initial NAAT setup "Apply" (since it is included in the Firewall -> Rules section). Not a big deal, but also not very newbie-friendly. * System Setup -> Discover Network Settings detected network cards and corresponding IP addresses/boot protocol OK, and set up eth0 as Admin Interface. Out of curiousity, what is the criteria that NAAT uses for initially choosing the admin interface? Is it just the first interface listed or something more special? And does the "admin interface" setting even have any significance? I haven't seemed to have found anywhere that it would be referenced. * NAAT does not preserve the MII_NOT_SUPPORTED setting in the ifcfg-ethX scripts. Normally not a big deal, but this is required to be there for my VMWare virtual NICs and some older NICs that don't support heartbeat detection. * In NAAT under "Internet Access", the Remote Test Host function seems to be broken. You can't change it from the default of loopback (and it reports the loopback interface as being down, incidentally). ----------------- Likes *NOTE: These are likes that only apply to things I noticed new in this one as opposed to the June-ish RPMS. I have a lot more Likes :) ----------------- + Very good selection of default rules. Allows a newbie to get a firewall up and running and still have most of the basic internet functions from the very start. + "Response File" Style-Installer very fast. I was up and running in under 3 minutes. Can't wait to see a polished installer! :) + Rearranging existing rules no longer overwrites the rule that a rule is moved to. That was so incredibly annoying! :) + Lots of new VPN options to play with. More details as I get to fiddling with 'em. ----------------- Dislikes ----------------- - Unable to choose a public update mirror (ex. mirrors.usc.edu) in NAAT's "Software Update" section. This is just a long standing gripe and is easy to do by just adding the update media to urpmi on the command line, but that's not very intuitive for the CLI-phobic. ----------------- Wish List ----------------- * NAAT Would autodetect "Internet Access" interface based on default gateway (and use current behavior if none found). * NAAT would store configurations into CVS/SVN instead of just rolling files. Integrating a web-based CVSView would make it really easy to track changes to the firewall for change management/security/auditing purposes. * Zebra or Quagga (Zebra fork that is more active) at least included as an optional service, and optimally some basic configuration options via NAAT (Low priority on the NAAT configuration though, thats just feature creep). It is easy to get Quagga working using URPMI, but that requires setting up additional installation mirrors/etc. and really slows down the deployment time. Dynamic routing protocols are a must in most places I place these firewalls, so having it "out-of-the-box" would be really nice. ---------------------------------------------------------------------- So far, very cool Florin! This is a very feature-packed firewall that meets lots of needs I've had that IPCop and Smoothwall don't, with the added benefit of being able to run on any x86 hardware (as opposed to expensive appliances like Cisco PIX and Checkpoint-1). Keep up the good work! ______________________________ Justin Grote Network Architect, CCNA The Whistlepunk Email: [EMAIL PROTECTED] (remove nospam-) SMS: [EMAIL PROTECTED] (remove nospam-) Phone: (208) 631-5440
smime.p7s
Description: S/MIME Cryptographic Signature
