Re: Firewall and Laptop
Derek Broughton wrote:
On Thursday 30 December 2004 10:23, Derek Broughton wrote:
On Thursday 30 December 2004 09:28, Ryan D'Baisse wrote:
On Thu, 30 Dec 2004 09:06:03 -0400, Derek Broughton
Did firestarter get any documentation yet? I have tried it a few
times. It looks like it's on the right track, but it had useless
documentation. It just wasn't worth the effort.
If I may offer my $0.02, I am a newbie to Linux and saw this thread
last night. Within 5 minutes I had downloaded, installed, and
configured firestarter with my firewall. The wizard-like interface
took virtually all of the thinking out of the equation. I would guess
that, if firestarter doesn't have documentation, then it is probably
because one really doesn't need it with such a slick interface.
Sounds good enough to me, at least to give it another try. It must be well
over a year since I tried it.
OK, off the top:
- it needs 22 other gnome apps I didn't want. No big deal if you're already
- it still can't configure an interface it isn't actively connected to. When
I'm at work the Internet is on eth0. When I'm home, it's dpc0 and eth0 is
the local network. There's no apparent way to save both configs (which
shouldn't really be different, anyway, just the same rules on different
interfaces). This is an unusual connection, but using ppp0 at home and eth0
at work would be _very_ common.
There is a command line option called --generate-scripts that will dump
the current configuration into /etc/firestarter. I imagine that you can
dump the configuration at each location and then edit the init script to
run the different configurations. How do you bring up your interfaces
at the different locations? Do you have an automated way at boot to
select your network situation? If so, you could edit those scripts to
copy the correct configuration into the file that firestarter boots
with. Poke around in the /etc/init.d/firstarter script and the
/etc/firestarter/ directory. As you said, your rules would be the same
at both locations so you could just change the IF and INIF variables in
- without a single question about my usage, it thinks it can configure a
firewall! Now, it's built _something_, but I don't know enough about
iptables to be sure, but it looks awfully permissive. At the very least, I'm
currently connected to this machine by VNC and it isn't even blocking me. It
did block Telnet, but I usually leave that open to my desktop machine.
The first time I ran it, it asked me how I wanted it set up, which
interface is external, which ports to allow incoming connections on,
etc. Did it not do this for you? Did you have the VNC connection up when
you started the firewall? One of common rules for firewalls is to allow
traffic that was initiated from your machine.
My situation is a laptop where eth1(wireless) is the "external" and eth0
(wired) is the LAN. When playing with my test boxes on the LAN,
firestarter blocks connections on the LAN side that I've told it to. I
have to enter rules in the policy section to allow these boxes to
connect via SSH. I also use VMWare on the laptop and that sets up its
own network interfaces and those are blocked as well until I allow the
traffic. For both the LAN boxes and the VMWare machines my laptop is the
gateway to the Internet via my wireless nic.
I'm not qualified to analyze the rules generated but I'm sure you could
rest your fears on numerous mailing lists.
- It still has no help (there's a menu entry, but it never gives me any help).
That's not acceptable for a firewall - you need to know _why_ it built the
rules it did (unless you understand iptables a lot better than I do - in
which case you probably didn't need a GUI to do it).
The Help -> Online User's Manual works for me, maybe what your system
thinks as the "default browser" isn't there. It just takes you to
It might not be a bad firewall if you use Gnome, and if the Help actually
works on Gnome, but imo it would be a very poor firewall for anyone else.
It is definitely a Gnome app.
I'm going back to guarddog - which is also a Gnome app, but works much better
with KDE, and runs the same startup script no matter what interface my
connection is on.
Choice is good isn't it :-)