On Friday 07 January 2005 9:40 am, Florin wrote: > Hi Bret, > > sorry for the late response. >
No problems, thank you for looking into this. > >Bret Baptist <[EMAIL PROTECTED]> writes: > > > > Here are some of the results of the testing I have done on MNF2. These > > are all tested against Florin's latest packages dated Jan 04 2005. > > > > You should not be able to specify a port number when selecting 'all' for > > a Protocol under Firewall --> Rules --> Add Rule. Shorewall will not > > start, it says "Error: Port number not allowed with protocol "all"; rule: > > "ACCEPT lan vpn all 0:65535 - -"" > > unfortunately it's a bit complicated to test that with the actual design > ... Unfortunate, but as long as you keep an eye on things you should be ok. > > > When you add a host to the Firewall --> Zones Interfaces --> Hosts > > Configuration section there are a bunch of options available to select, > > ie routeback, maclist, ... When you edit a host in the same section you > > are only able to select routestopped as an option, which is not even an > > option when adding a new Host. > > this should be ok now > This has been corrected with the current rpms. > > When you add a host to the Firewall --> Zones Interfaces --> Hosts > > Configuration section it says that you can select '+' for the interface > > to not associate a particular interface to a zone, but shorewall doesn't > > like this at all, it says "Error: Unknown interface (+) in record "vpn > > +:0.0.0.0/0 "" > > I have removed that ... I don't even remember putting it there ... I'm > getting old ;o) > This looks good as well. > > You can only select a log level of "info" for rules now, is this > > intentional? > > you would like to have all the syslog levels ? I thought info is enough > for shorewall ... > Yeah, thinking about it for firewall rules I am sure info should be enough. > > When watching the firewall boot I noticed that the nework interfaces are > > brought up and then shorewall is started, should this order be reversed? > > Or is this a limitation of shorewall? > > yes, we have noticed that if the interface is not up then shorewall fails > ... > When the interface is brought up initialy does it have the full IP address and routes? Are there any firewalls rules in place at all? > > Why is samba-server a requirment for the mnf-en virtual package? Do we > > *need* samba server to run the firewall? > > no, we don't really need that ... except if one enables the WINS part for > pptp. > So this requirement will be dropped from the mnf-en virtual package than? > > With a fresh default install of MNF2 I get these errors in my syslog, > > "postfix/postdrop[6094]: warning: unable to look up public/pickup: No > > such file or directory". > > I'll check that next week when I'll test new installs .. > OK, let me know when we have a new iso to install from and I will do testing for you. > > When you add an ipsec tunnel in the Firewall --> Tunnels/Netmap section, > > it creates rules that require the source port to be 500. On some clients > > this is not always the case, for example the SmartNet brand IPSEC clients > > do not connect with a source port of 500. Could we remove the spt=500 > > part of the rule? > > this comes from the shorewall internals ... simply use generic:udp:444 > instead, for example, if you want ... > I am not sure what you are trying to say here. Would it be possible to change the shorewall internals in this case? This is a pretty silly requirement that doesn't take into account setting up an IPSEC tunnel with many Windows clents out there. > > Not bugs, but ideas: > > Is there anyway to have the web interface display the Warnings and Errors > > from the shorewall check we do after you hit Apply? For example when > > adding a rule that has 'all' for the Protolcol, shorewall warns you that > > this is really a Policy and should be in the policy file instead, handy > > info to be displayed in the web interface. It would also be very nice to > > have it display the Error so you know what you did wrong without having > > to go to Services --> Summary --> shorewall --> Details. > > too complicated to do at this stage ... but a very good idea ... (I have > already given some thought to this and probably change the limited > architecture for the next mnf) > Unfortunate, but you have to work within the framework available to you. > > Would it be possible to have a summary screen when you edit something > > that says, he is your previous configuration line, and here is what you > > are changing that configuration to. This way when you make changes you > > can see clearly what changes are being made. > > same comment as above ... I already have plans to do that for the next > release. > Same comment as above. ;-) > thank you for your email ... and please don't hesitate if you have more > comments, ideas ... > I must say that with the current state of MNF2 everything appears to work better than MNF ever did. -- Bret Baptist Systems and Technical Support Specialist [EMAIL PROTECTED] Internet Exposure, Inc. http://www.iexposure.com (612)676-1946 x17 Web Development-Web Marketing-ISP Services ------------------------------------------ Today is the tomorrow you worried about yesterday.
____________________________________________________ Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com ____________________________________________________
