[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Firewall and Laptop

On Thursday 30 December 2004 12:59, Keith Nasman wrote:
> Derek Broughton wrote:

[of firestarter]

> > OK, off the top:
> > - it needs 22 other gnome apps I didn't want.  No big deal if you're
> > already using gnome.
> >
> > - it still can't configure an interface it isn't actively connected to. 
> > When I'm at work the Internet is on eth0.  When I'm home, it's dpc0 and
> > eth0 is the local network.  There's no apparent way to save both configs
> > (which shouldn't really be different, anyway, just the same rules on
> > different interfaces).  This is an unusual connection, but using ppp0 at
> > home and eth0 at work would be _very_ common.
> There is a command line option called --generate-scripts that will dump
> the current configuration into /etc/firestarter. I imagine that you can
> dump the configuration at each location and then edit the init script to

OK, that would help.  But without Help, it's not easy to know that.

>   run the different configurations. How do you bring up your interfaces
> at the different locations? Do you have an automated way at boot to

ifupdown & hotplug.  if it finds dpc0, that's my satellite modem, if not it 
treats eth0 as an internet connection.

> select your network situation? If so, you could edit those scripts to
> copy the correct configuration into the file that firestarter boots
> with. Poke around in the /etc/init.d/firstarter script and the
> /etc/firestarter/ directory. As you said, your rules would be the same

Yeah, I could do that.  Guarddog was easier.

> at both locations so you could just change the IF and INIF variables in
> /etc/firestarter/configuration file.
> > - without a single question about my usage, it thinks it can configure a
> > firewall!  Now, it's built _something_, but I don't know enough about
> > iptables to be sure, but it looks awfully permissive.  At the very least,
> > I'm currently connected to this machine by VNC and it isn't even blocking
> > me. It did block Telnet, but I usually leave that open to my desktop
> > machine.
> The first time I ran it, it asked me how I wanted it set up, which
> interface is external, which ports to allow incoming connections on,
> etc. Did it not do this for you? 

Nope.  No questions at all, which surprised me.

> Did you have the VNC connection up when 
> you started the firewall? One of common rules for firewalls is to allow
> traffic that was initiated from your machine.

Yeah, that occurred to me after the fact.  I should have tried to initiate a 
second VNC connection before I uninstalled firestarter. :-)

> My situation is a laptop where eth1(wireless) is the "external" and eth0
> (wired) is the LAN. When playing with my test boxes on the LAN,
> firestarter blocks connections on the LAN side that I've told it to. I
> have to enter rules in the policy section to allow these boxes to
> connect via SSH. 

Yes, but you need to know how the rules are entered.  There's no Help.

> I'm not qualified to analyze the rules generated but I'm sure you could
> rest your fears on numerous mailing lists.

That's not relevant.  If you're not qualified (and I'm not qualified) it's 
even _more_ important that it be explaining what it's doing.

> > - It still has no help (there's a menu entry, but it never gives me any
> > help). That's not acceptable for a firewall - you need to know _why_ it
> > built the rules it did (unless you understand iptables a lot better than
> > I do - in which case you probably didn't need a GUI to do it).
> The Help -> Online User's Manual works for me, maybe what your system
> thinks as the "default browser" isn't there. It just takes you to

You're installing a firewall - you really shouldn't be online until you're 
comfortable with what it's doing.

> > It might not be a bad firewall if you use Gnome, and if the Help actually
> > works on Gnome, but imo it would be a very poor firewall for anyone else.
> It is definitely a Gnome app.

That shouldn't matter at all.  I use all sorts of gnome apps, but if they rely 
on bonobo, they'd better be darn good.  I haven't found one yet that was 
worth the baggage.

I should have also mentioned there, that it is probably OK if you only use a 
single interface to connect to the internet, but for people with dial-up at 
home and ethernet at work, it's more trouble than _I_ think it's worth.

> > I'm going back to guarddog - which is also a Gnome app, but works much
> > better with KDE, and runs the same startup script no matter what
> > interface my connection is on.
> Choice is good isn't it :-)


Reply to: