Hi Michael, Michael Hanke <[EMAIL PROTECTED]> (04/04/2006): > On Mon, Apr 03, 2006 at 02:09:30PM +0200, Thomas Huriaux wrote: > > Package: arno-iptables-firewall > > Severity: minor > > > > Hi, there are many issues in your debconf templates concerning the > > developers reference (see > > http://www.debian.org/doc/developers-reference/ch-best-pkging-practices.en.html#s-bpp-config-mgmt) > <snip> > > I tried a rewrite of the Debconf templates (attached). If you find some > time, I would really like to hear your oppinion before I start bothering > the translators.
These templates seems OK for me, I would only capitalize "Internet". I cc Christian Perrier, as he always has other comments :-) Christian, can you please check if Michael's templates are conforming with the dev-ref? Cheers, -- Thomas Huriaux
Template: arno-iptables-firewall/title Type: title _description: arno-iptables-firewall configuration Template: arno-iptables-firewall/config-ext-if Type: string _description: External network interfaces: The external network interfaces connect this machine to untrusted networks (e.g. the internet). The firewall will only permit connections attempts with explicitly allowed source/destination-port combinations on these interfaces. You have to specify all external interfaces (e.g. eth0 and/or ppp0). . For a ppp-interface that doesn't exist yet you can use the wildcard device called "ppp+", but you can only use ppp+ if there aren't any other ppp interfaces! . If no interfaces are specified here, no firewall setup will be performed. . Multiple interfaces should be specified space separated. Template: arno-iptables-firewall/dynamic-ip Type: boolean _description: Is DHCP used on external interfaces? This machine might use DHCP to dynamically obtain its IP address from your internet service provider (ISP). This will be almost always the case if you have a non-permanent (e.g. dialup) connection. . If DHCP is not explicitly enabled, the firewall will block all DHCP-related network traffic. . Leave this enabled, if you are unsure. Default: true Template: arno-iptables-firewall/services-tcp Type: string _description: Open external TCP-ports: The default firewall policy is to deny all incoming traffic on the external interfaces. If this machine provides services to the outside world (e.g. the internet) they have to be explicitly enabled. . Please specify the TCP-ports numbers associated with the services that shall be accessible from the outside world. Some frequently used ports are: 80 (http), 443 (https) or 22 (ssh). . In addition to single port numbers you may also specify port ranges (e.g. 10000:11000). Multiple entries should be entered space separated. . If unsure, leave this empty. Template: arno-iptables-firewall/services-udp Type: string _description: Open external UDP-ports: The default firewall policy is to deny all incoming traffic on the external interfaces. If this machine provides services for the outside world (e.g. the internet) they have to be explicitly enabled. . Please specify the UDP-ports numbers associated with the services that shall be accessible from the outside world. . In addition to single port numbers you may also specify port ranges (e.g. 10000:11000). Multiple entries should be entered space separated. . If unsure, leave this empty. Template: arno-iptables-firewall/restart Type: boolean _description: Should the firewall be (re)started now? For security reasons the (new) firewall setup is not applied automatically. You might want to perform a manual inspection of the firewall configuration at /etc/default/arno-iptables-firewall, especially when upgrading to a new version as configuration variables might have changed. . In order to later manually apply the new firewall settings before the next reboot, invoke 'invoke-rc.d arno-iptables-firewall start'. . If you do not need manual inspection the firewall-setup can be applied now. Default: true Template: arno-iptables-firewall/nat Type: boolean _description: Do you want to enable NAT? If the connected internal networks should be able to access the outside world (e.g. the internet) through the firewall, masquerading (NAT) has to be enabled. . If you don't know what that means, you can safely leave this disabled. Default: false Template: arno-iptables-firewall/config-int-if Type: string _description: Internal network interfaces: The internal network interfaces connect this machine to trusted networks (e.g. the office or home LAN). The firewall will permit all connection attempts on these interfaces. If you specify such interfaces, you will be able to permit the internal networks to access internet through this host. If there are no such interfaces, leave this empty. . Multiple interfaces should be entered space separated. Template: arno-iptables-firewall/config-int-net Type: string _description: Internal subnets: You have to specify which subnets are connected to the internal network interfaces. Hosts in the internal networks can connect to all the services on this machine. . Give subnets in CIDR notation (e.g. 192.168.1.0/24). If you have multiple internal networks, they should be space separated. Template: arno-iptables-firewall/config-int-nat-net Type: string _description: Internal networks with access to external networks: If you want to restrict the access to the external networks, you can specify the allowed internal subnets in CIDR notation (e.g. 192.168.1.0/24). It is also possible to specify single hosts by their IP addresses. If you have multiple internal networks and/or hosts, they should be given space separated. . If you leave this empty the value is automatically set to equal the internal network. Therefore the WHOLE internal network will have access to the external networks, so be careful to only specify networks that should have access to the outside world. . If you are unsure, leave this empty. Template: arno-iptables-firewall/icmp-echo Type: boolean _description: Should the machine be pingable from the outside world? For increased security the firewall can be setup to ignore ICMP echo requests (pings). While this is generally a good idea (the host seems to be down at a first glance), this is sometimes not useful (e.g. failure diagnose). . If you are not sure, leave this disabled. Default: false Template: arno-iptables-firewall/debconf-wanted Type: boolean _description: Do you want to manage the firewall setup with debconf? A basic firewall setup that is suitable for most purposes can be created by answering a few questions. This should be the prefered option for all who are not familiar with firewall related topics. . If you do not want that, the firewall will not work before you have edited the configuration manually. Default: true
signature.asc
Description: Digital signature
