Re: Firewall and Laptop
On Thursday 30 December 2004 12:59, Keith Nasman wrote:
> Derek Broughton wrote:
> > OK, off the top:
> > - it needs 22 other gnome apps I didn't want. No big deal if you're
> > already using gnome.
> > - it still can't configure an interface it isn't actively connected to.
> > When I'm at work the Internet is on eth0. When I'm home, it's dpc0 and
> > eth0 is the local network. There's no apparent way to save both configs
> > (which shouldn't really be different, anyway, just the same rules on
> > different interfaces). This is an unusual connection, but using ppp0 at
> > home and eth0 at work would be _very_ common.
> There is a command line option called --generate-scripts that will dump
> the current configuration into /etc/firestarter. I imagine that you can
> dump the configuration at each location and then edit the init script to
OK, that would help. But without Help, it's not easy to know that.
> run the different configurations. How do you bring up your interfaces
> at the different locations? Do you have an automated way at boot to
ifupdown & hotplug. if it finds dpc0, that's my satellite modem, if not it
treats eth0 as an internet connection.
> select your network situation? If so, you could edit those scripts to
> copy the correct configuration into the file that firestarter boots
> with. Poke around in the /etc/init.d/firstarter script and the
> /etc/firestarter/ directory. As you said, your rules would be the same
Yeah, I could do that. Guarddog was easier.
> at both locations so you could just change the IF and INIF variables in
> /etc/firestarter/configuration file.
> > - without a single question about my usage, it thinks it can configure a
> > firewall! Now, it's built _something_, but I don't know enough about
> > iptables to be sure, but it looks awfully permissive. At the very least,
> > I'm currently connected to this machine by VNC and it isn't even blocking
> > me. It did block Telnet, but I usually leave that open to my desktop
> > machine.
> The first time I ran it, it asked me how I wanted it set up, which
> interface is external, which ports to allow incoming connections on,
> etc. Did it not do this for you?
Nope. No questions at all, which surprised me.
> Did you have the VNC connection up when
> you started the firewall? One of common rules for firewalls is to allow
> traffic that was initiated from your machine.
Yeah, that occurred to me after the fact. I should have tried to initiate a
second VNC connection before I uninstalled firestarter. :-)
> My situation is a laptop where eth1(wireless) is the "external" and eth0
> (wired) is the LAN. When playing with my test boxes on the LAN,
> firestarter blocks connections on the LAN side that I've told it to. I
> have to enter rules in the policy section to allow these boxes to
> connect via SSH.
Yes, but you need to know how the rules are entered. There's no Help.
> I'm not qualified to analyze the rules generated but I'm sure you could
> rest your fears on numerous mailing lists.
That's not relevant. If you're not qualified (and I'm not qualified) it's
even _more_ important that it be explaining what it's doing.
> > - It still has no help (there's a menu entry, but it never gives me any
> > help). That's not acceptable for a firewall - you need to know _why_ it
> > built the rules it did (unless you understand iptables a lot better than
> > I do - in which case you probably didn't need a GUI to do it).
> The Help -> Online User's Manual works for me, maybe what your system
> thinks as the "default browser" isn't there. It just takes you to
You're installing a firewall - you really shouldn't be online until you're
comfortable with what it's doing.
> > It might not be a bad firewall if you use Gnome, and if the Help actually
> > works on Gnome, but imo it would be a very poor firewall for anyone else.
> It is definitely a Gnome app.
That shouldn't matter at all. I use all sorts of gnome apps, but if they rely
on bonobo, they'd better be darn good. I haven't found one yet that was
worth the baggage.
I should have also mentioned there, that it is probably OK if you only use a
single interface to connect to the internet, but for people with dial-up at
home and ethernet at work, it's more trouble than _I_ think it's worth.
> > I'm going back to guarddog - which is also a Gnome app, but works much
> > better with KDE, and runs the same startup script no matter what
> > interface my connection is on.
> Choice is good isn't it :-)