Randy Welch <[EMAIL PROTECTED]> writes: Hello again, > Does dan's guardian allow for time restrictions like squidGuard? I don't > want to lose that functionality. >
You can run SquidGuard and DansGuardian in the same time and keep the Time restriction feature. > > any ideas are welcome ... > In the firewall section it would be nice to have a easy/basic/quick setup > that did the following: > > 1. Setup NAT > > 2. Perform necessary setup to allow the following services: > http/https/pop3/smtp/dns/squid ( maybe nntp/ftp/imap ) > *without any further intervention from the user*. Ok, this is a good and useful idea. I'll open all the http/https/pop3/smtp/ssh/nntp/ftp/imap/dns traffic as default from the lan to wan so people can use the firewall directly without adding these rules. > > With what is currently in 8.2 I suspect you are closer SuSE's firewall > product, read the quote from the UnixReview article on fire walls about > their product: > > > The setup program is GUI-based, but you still need to understand how to > > > configure a firewall. If you don't know a DMZ from an ACL, > > > you'll be totally lost with this product.... > > > I think the new snf is going that way. > Well, this firewall now supports several DMZs. This is why I think that allowing as default all the above services from lan to wan is a good idea so people that will NOT use a DMZ can use it right away. > > > >>4. With the configuration ( which I'm not sure I've done right.. ) the > >> only way to surf the web is through squid. > > Oh no, When you activate squid, this will add the right rules (you can > > verify that). If you only want to surf the web, you should eventually > > masquerade your private network and authorize the http (or www) > > traffic from lan to wan, add a new iptable rule that is. > > It's normal and intuitif, I think. > > > > I'll have to think about that. I could not surf without squid last night > though. Well, it works like a chram here. If you explain your network configuration with the eventual private IP ranges used, I could help. in two steps, as I said do the following: If your eth1 card is the interface associated to the wan zone and eth0 is the one associated to the lan zone --- You'll have to do that in the network configuration because all the NIC interfaces are in the lan zone at the beginning and your private network is 192.168.1.0/24 masquerade that network through the eth1 interface (eth1, the wan interface). Then add an ACCEPT rule allowing the http traffic from lan to wan. easy, huh ? > > Yes it is the caching name server provided by the firewall. I would > recommend that you add the rule automatically when activating the caching > name server. Ok, I've added that on the cvs. > > > Agreed, however ease of use has been mandrake's hallmark. For the SOHO > market the functionalty as it was in 7.2 got you up and going in no time. > I don't think that should be lost in the ability to support larger > enterprises. > > The ability to tweak the config from the gui is certainly more fine > grained than 7.2 ( Yes I tweaked my Bastille based configs by hand ). And > looks quite interesting too. Don't change that, but don't lose the > positive out of box experience for the newbie/basic user that 7.2 had. > Allowing all the above traffic as default should do the thing :o) thank you for your message, -- Florin http://www.mandrakesoft.com
