Hi Bret, sorry for the late response.
>Bret Baptist <[EMAIL PROTECTED]> writes: > Here are some of the results of the testing I have done on MNF2. These are > all tested against Florin's latest packages dated Jan 04 2005. > > You should not be able to specify a port number when selecting 'all' for a > Protocol under Firewall --> Rules --> Add Rule. Shorewall will not start, it > says "Error: Port number not allowed with protocol "all"; rule: "ACCEPT lan > vpn all 0:65535 - -"" unfortunately it's a bit complicated to test that with the actual design ... > When you add a host to the Firewall --> Zones Interfaces --> Hosts > Configuration section there are a bunch of options available to select, ie > routeback, maclist, ... When you edit a host in the same section you are > only able to select routestopped as an option, which is not even an option > when adding a new Host. this should be ok now > When you add a host to the Firewall --> Zones Interfaces --> Hosts > Configuration section it says that you can select '+' for the interface to > not associate a particular interface to a zone, but shorewall doesn't like > this at all, it says "Error: Unknown interface (+) in record "vpn +:0.0.0.0/0 > "" I have removed that ... I don't even remember putting it there ... I'm getting old ;o) > You can only select a log level of "info" for rules now, is this intentional? you would like to have all the syslog levels ? I thought info is enough for shorewall ... > When watching the firewall boot I noticed that the nework interfaces are > brought up and then shorewall is started, should this order be reversed? Or > is this a limitation of shorewall? yes, we have noticed that if the interface is not up then shorewall fails ... > Why is samba-server a requirment for the mnf-en virtual package? Do we > *need* > samba server to run the firewall? no, we don't really need that ... except if one enables the WINS part for pptp. > With a fresh default install of MNF2 I get these errors in my syslog, > "postfix/postdrop[6094]: warning: unable to look up public/pickup: No such > file or directory". I'll check that next week when I'll test new installs .. > When you add an ipsec tunnel in the Firewall --> Tunnels/Netmap section, it > creates rules that require the source port to be 500. On some clients this > is not always the case, for example the SmartNet brand IPSEC clients do not > connect with a source port of 500. Could we remove the spt=500 part of the > rule? this comes from the shorewall internals ... simply use generic:udp:444 instead, for example, if you want ... > Not bugs, but ideas: > Is there anyway to have the web interface display the Warnings and Errors > from > the shorewall check we do after you hit Apply? For example when adding a > rule that has 'all' for the Protolcol, shorewall warns you that this is > really a Policy and should be in the policy file instead, handy info to be > displayed in the web interface. It would also be very nice to have it > display the Error so you know what you did wrong without having to go to > Services --> Summary --> shorewall --> Details. too complicated to do at this stage ... but a very good idea ... (I have already given some thought to this and probably change the limited architecture for the next mnf) > Would it be possible to have a summary screen when you edit something that > says, he is your previous configuration line, and here is what you are > changing that configuration to. This way when you make changes you can see > clearly what changes are being made. same comment as above ... I already have plans to do that for the next release. thank you for your email ... and please don't hesitate if you have more comments, ideas ... sincerely, - Florin http://www.mandrakesoft.com http://people.mandrakesoft.com/~florin/
____________________________________________________ Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com ____________________________________________________
