Randy Welch <[EMAIL PROTECTED]> writes: > Ok after updating to the latest cooker, I reinstalled my firewall with the > latest and greatest and I was able to actually go through the > configuration! Yippee! > > However I have a few ocmments about the new SNF... > 1. It would be nice when doing the setup it could fetch the time > configuration and default route from the network config during setup.
Hello again, for the time configuration, this is feasable. I'm not sure about the default route configuration, though. Keep in mind that only the network configuration is updated (for the NIC cards, not DSP, RNIS, modem, etc) Say you have an active internet connection with a default route set by your ISP ... The update of such a default gateway will give strange results for NIC cards if your using another device for your internet configuration ... > 2. When setting up the web proxy you are asked to select what you want > for filtering ( DansGuardian or nothing ) however in order to set things > up like time limits you really do have to select squidGuard for at least > banner filtering. I do *like/want* the time restriction provision to be > there by default. (If one leaves DansGuard selected how do you configure > it). right enough ... you could check the latest packages at people.mandrakesoft.com/~florin/www/rpms but indeed, I have some problems with the dansguardian restart service. It simply doesn't want to restart using a script and it does restart by hand ... I'll have a closer look on that. > 3. The configuration of the actual firewall is not geared towards your > usual user. I know mandrake prides themselves on the ease of use factor, > which even applied to SNF. You didn't need to be a network admin to > setup. The 8.2 one I think you do. The latest version is using a DMZ so, it has to be more advanced in some sort of way as you have much more configuration possibilities. But you still can use the "Add simple rules" menu and use the predefined list of services like in the old days (old version, sorry :o) > It is neither intutive or easy. The old 7.2 based SNF was fairly easy to > configure for basic usage. You could just select the services you wanted > to use by selecting the services you wanted to go through all at once, > instead of picking each service one at a time. > > This needs work in order to appeal to linux newbies or those who really > really don't want to be firewall gods. any ideas are welcome ... > 4. With the configuration ( which I'm not sure I've done right.. ) the > only way to surf the web is through squid. Oh no, When you activate squid, this will add the right rules (you can verify that). If you only want to surf the web, you should eventually masquerade your private network and authorize the http (or www) traffic from lan to wan, add a new iptable rule that is. It's normal and intuitif, I think. > I can't talk to my caching > name server and I get rejection packets when I try to access a web address > via ip address. ( nothing in the log though...) same thing here, what caching name server are we talking about, the one used by the firewall ? In that case, you should authorize the 53 port from lan to fw (yes add another rule) or should I add this automatically when activating the Caching name server maybe ? One comment though: The major difference between the old version and the new one is its complexity in terms number of allowed servers, (DMZ, etc). In the 7.2 version the adding rules were chewed so that anyone can use it because there were only two sides (office and the internet). With the latest version, you can have an unlimited number of zones ... so, in order to make a service available (say a web server) you need two steps instead of one: - activate a service in a zone, say an apache (web) server and then - add the right iptables rule to allow the corresponding traffic cheers, -- Florin http://www.mandrakesoft.com
