Justin Grote <[EMAIL PROTECTED]> writes: > Hi Florin,
Hi, I have just came back from a 2-weeks vacation and will have a closer look at your questions/comments starting from tomorrow. I will come back to you with answers and solutions. Please don't hesitate to send me your comments ideas in order to improve MNF. Sincerely, > Here's a sitrep of my testing with the Alpha ISO of MNF. I've mostly just done the > basics, and should have time to go into more depth in the next few weeks. > > I refer to the web-based interface as NAAT. > > > Installation Specifics > --------------------- > VMWare environment with 3 NICs (for LAN (eth1), DMZ (eth2), and WAN (eth0)) > > Settings During Install: > * LAN card set to DHCP > * DMZ card set to static IP address (192.168.144.2/24) > * WAN card not set up (to be set up in NAAT) > * Hostname set to mnf > * Everything else using defaults > > Issues > ----------------- > > * Had to stop Shorewall to access the initial MNF Admin web page, as the initial > shorewall setup doesn't include a rule to allow access to port 8443 by default. The > rule was added automatically after the initial NAAT setup "Apply" (since it is > included in the Firewall -> Rules section). Not a big deal, but also not very > newbie-friendly. > > * System Setup -> Discover Network Settings detected network cards and corresponding > IP addresses/boot protocol OK, and set up eth0 as Admin Interface. Out of > curiousity, what is the criteria that NAAT uses for initially choosing the admin > interface? Is it just the first interface listed or something more special? And does > the "admin interface" setting even have any significance? I haven't seemed to have > found anywhere that it would be referenced. > > * NAAT does not preserve the MII_NOT_SUPPORTED setting in the ifcfg-ethX scripts. > Normally not a big deal, but this is required to be there for my VMWare virtual NICs > and some older NICs that don't support heartbeat detection. > > * In NAAT under "Internet Access", the Remote Test Host function seems to be broken. > You can't change it from the default of loopback (and it reports the loopback > interface as being down, incidentally). > > > ----------------- > Likes > *NOTE: These are likes that only apply to things I noticed new in this one as > opposed to the June-ish RPMS. I have a lot more Likes :) > ----------------- > > + Very good selection of default rules. Allows a newbie to get a firewall up and > running and still have most of the basic internet functions from the very start. > > + "Response File" Style-Installer very fast. I was up and running in under 3 > minutes. Can't wait to see a polished installer! :) > > + Rearranging existing rules no longer overwrites the rule that a rule is moved to. > That was so incredibly annoying! :) > > + Lots of new VPN options to play with. More details as I get to fiddling with 'em. > > > > ----------------- > Dislikes > ----------------- > > - Unable to choose a public update mirror (ex. mirrors.usc.edu) in NAAT's "Software > Update" section. This is just a long standing gripe and is easy to do by just adding > the update media to urpmi on the command line, but that's not very intuitive for the > CLI-phobic. > > > ----------------- > Wish List > ----------------- > * NAAT Would autodetect "Internet Access" interface based on default gateway (and > use current behavior if none found). > > * NAAT would store configurations into CVS/SVN instead of just rolling files. > Integrating a web-based CVSView would make it really easy to track changes to the > firewall for change management/security/auditing purposes. > > * Zebra or Quagga (Zebra fork that is more active) at least included as an optional > service, and optimally some basic configuration options via NAAT (Low priority on > the NAAT configuration though, thats just feature creep). It is easy to get Quagga > working using URPMI, but that requires setting up additional installation > mirrors/etc. and really slows down the deployment time. Dynamic routing protocols > are a must in most places I place these firewalls, so having it "out-of-the-box" > would be really nice. > > ---------------------------------------------------------------------- > > So far, very cool Florin! This is a very feature-packed firewall that meets lots of > needs I've had that IPCop and Smoothwall don't, with the added benefit of being able > to run on any x86 hardware (as opposed to expensive appliances like Cisco PIX and > Checkpoint-1). > > Keep up the good work! > > ______________________________ > Justin Grote > Network Architect, CCNA > The Whistlepunk > Email: [EMAIL PROTECTED] (remove nospam-) > SMS: [EMAIL PROTECTED] (remove nospam-) > Phone: (208) 631-5440 > -- Florin http://www.mandrakesoft.com http://people.mandrakesoft.com/~florin/
____________________________________________________ Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com ____________________________________________________
