[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Firewall and Laptop

Derek Broughton wrote:
On Thursday 30 December 2004 10:23, Derek Broughton wrote:

On Thursday 30 December 2004 09:28, Ryan D'Baisse wrote:

On Thu, 30 Dec 2004 09:06:03 -0400, Derek Broughton

<derek@pointerstop.ca> wrote:

Did firestarter get any documentation yet?  I have tried it a few
times. It looks like it's on the right track, but it had useless
documentation. It just wasn't worth the effort.

If I may offer my $0.02, I am a newbie to Linux and saw this thread
last night.  Within 5 minutes I had downloaded, installed, and
configured firestarter with my firewall.  The wizard-like interface
took virtually all of the thinking out of the equation.  I would guess
that, if firestarter doesn't have documentation, then it is probably
because one really doesn't need it with such a slick interface.

Sounds good enough to me, at least to give it another try.  It must be well
over a year since I tried it.

OK, off the top:
- it needs 22 other gnome apps I didn't want. No big deal if you're already using gnome.

- it still can't configure an interface it isn't actively connected to. When I'm at work the Internet is on eth0. When I'm home, it's dpc0 and eth0 is the local network. There's no apparent way to save both configs (which shouldn't really be different, anyway, just the same rules on different interfaces). This is an unusual connection, but using ppp0 at home and eth0 at work would be _very_ common.

There is a command line option called --generate-scripts that will dump the current configuration into /etc/firestarter. I imagine that you can dump the configuration at each location and then edit the init script to run the different configurations. How do you bring up your interfaces at the different locations? Do you have an automated way at boot to select your network situation? If so, you could edit those scripts to copy the correct configuration into the file that firestarter boots with. Poke around in the /etc/init.d/firstarter script and the /etc/firestarter/ directory. As you said, your rules would be the same at both locations so you could just change the IF and INIF variables in /etc/firestarter/configuration file.

- without a single question about my usage, it thinks it can configure a firewall! Now, it's built _something_, but I don't know enough about iptables to be sure, but it looks awfully permissive. At the very least, I'm currently connected to this machine by VNC and it isn't even blocking me. It did block Telnet, but I usually leave that open to my desktop machine.

The first time I ran it, it asked me how I wanted it set up, which interface is external, which ports to allow incoming connections on, etc. Did it not do this for you? Did you have the VNC connection up when you started the firewall? One of common rules for firewalls is to allow traffic that was initiated from your machine.

My situation is a laptop where eth1(wireless) is the "external" and eth0 (wired) is the LAN. When playing with my test boxes on the LAN, firestarter blocks connections on the LAN side that I've told it to. I have to enter rules in the policy section to allow these boxes to connect via SSH. I also use VMWare on the laptop and that sets up its own network interfaces and those are blocked as well until I allow the traffic. For both the LAN boxes and the VMWare machines my laptop is the gateway to the Internet via my wireless nic.

I'm not qualified to analyze the rules generated but I'm sure you could rest your fears on numerous mailing lists.

- It still has no help (there's a menu entry, but it never gives me any help). That's not acceptable for a firewall - you need to know _why_ it built the rules it did (unless you understand iptables a lot better than I do - in which case you probably didn't need a GUI to do it).

The Help -> Online User's Manual works for me, maybe what your system thinks as the "default browser" isn't there. It just takes you to http://www.fs-security.com/

It might not be a bad firewall if you use Gnome, and if the Help actually works on Gnome, but imo it would be a very poor firewall for anyone else.

It is definitely a Gnome app.

I'm going back to guarddog - which is also a Gnome app, but works much better with KDE, and runs the same startup script no matter what interface my connection is on.

Choice is good isn't it :-)


Reply to: