Florin wrote:
> Randy Welch <[EMAIL PROTECTED]> writes:
>
>
>>Ok after updating to the latest cooker, I reinstalled my firewall with the
>>latest and greatest and I was able to actually go through the
>>configuration! Yippee!
>>
>>However I have a few ocmments about the new SNF...
>>1. It would be nice when doing the setup it could fetch the time
>>configuration and default route from the network config during setup.
>>
>
> Hello again,
>
> for the time configuration, this is feasable.
> I'm not sure about the default route configuration, though.
> Keep in mind that only the network configuration is updated (for the NIC
> cards, not DSP, RNIS, modem, etc)
>
> Say you have an active internet connection with a default route set by
> your ISP ... The update of such a default gateway will give strange
> results for NIC cards if your using another device for your internet
> configuration ...
>
True. I thought about that this morning and I agree with
you here.
>
>>2. When setting up the web proxy you are asked to select what you want
>>for filtering ( DansGuardian or nothing ) however in order to set things
>>up like time limits you really do have to select squidGuard for at least
>>banner filtering. I do *like/want* the time restriction provision to be
>>there by default. (If one leaves DansGuard selected how do you configure
>>it).
>>
>
> right enough ... you could check the latest packages at
> people.mandrakesoft.com/~florin/www/rpms but indeed, I have some problems
> with the dansguardian restart service. It simply doesn't want to restart
> using a script and it does restart by hand ... I'll have a closer look on that.
>
Does dan's guardian allow for time restrictions like
squidGuard? I don't want to lose that functionality.
>
>>3. The configuration of the actual firewall is not geared towards your
>>usual user. I know mandrake prides themselves on the ease of use factor,
>>which even applied to SNF. You didn't need to be a network admin to
>>setup. The 8.2 one I think you do.
>>
>
> The latest version is using a DMZ so, it has to be more advanced in some
> sort of way as you have much more configuration possibilities.
>
> But you still can use the "Add simple rules" menu and use the predefined
> list of services like in the old days (old version, sorry :o)
>
>
>>It is neither intutive or easy. The old 7.2 based SNF was fairly easy to
>>configure for basic usage. You could just select the services you wanted
>>to use by selecting the services you wanted to go through all at once,
>>instead of picking each service one at a time.
>>
>>This needs work in order to appeal to linux newbies or those who really
>>really don't want to be firewall gods.
>>
>
> any ideas are welcome ...
>
In the firewall section it would be nice to have a
easy/basic/quick setup that did the following:
1. Setup NAT
2. Perform necessary setup to allow the following services:
http/https/pop3/smtp/dns/squid ( maybe nntp/ftp/imap )
*without any further intervention from the user*.
I think with this you can give the new user up and going
without a user having to know a whole lot about the in's and
outs of firewalls. The whole firewall section could use
some really clear documentation while you are doing the
configuration so one can have a good idea as to what one is
supposed to do.
With what is currently in 8.2 I suspect you are closer
SuSE's firewall product, read the quote from the UnixReview
article on fire walls about their product:
> The setup program is GUI-based, but you still need to understand how to
> configure a firewall. If you don't know a DMZ from an ACL,
> you'll be totally lost with this product....
I think the new snf is going that way.
>
>>4. With the configuration ( which I'm not sure I've done right.. ) the
>>only way to surf the web is through squid.
>>
>
> Oh no, When you activate squid, this will add the right rules (you can
> verify that). If you only want to surf the web, you should eventually
> masquerade your private network and authorize the http (or www)
> traffic from lan to wan, add a new iptable rule that is.
>
> It's normal and intuitif, I think.
I'll have to think about that. I could not surf without
squid last night though.
>
>
>>I can't talk to my caching
>>name server and I get rejection packets when I try to access a web address
>>via ip address. ( nothing in the log though...)
>>
>
> same thing here, what caching name server are we talking about, the one
> used by the firewall ? In that case, you should authorize the 53 port from
> lan to fw (yes add another rule) or should I add this automatically when
> activating the Caching name server maybe ?
>
Yes it is the caching name server provided by the firewall.
I would recommend that you add the rule automatically
when activating the caching name server.
> One comment though:
> The major difference between the old version and the new one is its
> complexity in terms number of allowed servers, (DMZ, etc).
> In the 7.2 version the adding rules were chewed so that anyone can use it
> because there were only two sides (office and the internet). With the
> latest version, you can have an unlimited number of zones ... so, in order
> to make a service available (say a web server) you need two steps instead
> of one:
> - activate a service in a zone, say an apache (web) server and then
> - add the right iptables rule to allow the corresponding traffic
>
Agreed, however ease of use has been mandrake's hallmark.
For the SOHO market the functionalty as it was in 7.2 got
you up and going in no time. I don't think that should be
lost in the ability to support larger enterprises.
The ability to tweak the config from the gui is certainly
more fine grained than 7.2 ( Yes I tweaked my Bastille based
configs by hand ). And looks quite interesting too. Don't
change that, but don't lose the positive out of box
experience for the newbie/basic user that 7.2 had.
-randy
