Re: change in behavior of iptables with respect to firestarter
On 10/27/2010 07:23 PM, Rob Owens wrote:
I'm inclined to call it a bug in firestarter, but to be sure, test it
out with Network Manager instead of wicd. See if you have the same
problem. I think you will, which will indicate the problem is with
firestarter (or possibly with the way you configured firestarter).
I did try purging firestarter, re-installing it, and starting over with
an extremely simple configuration (just basic deny all incoming but
without ICMP filtering). It still wouldn't come up on a system
configured to work with wicd managing multiple fixed IP addresses.
The funny thing is that I have been using firestarter because it was
"easy". I also tried gufw as an alternative because it was "easy".
With firestarter I could configure the firewall the way I wanted it to
work (accepting only ssh connections from particular IP addresses), but
it wouldn't start reliably.
Gufw was totally reliable in my testing, but didn't offer anything like
the flexibility of firestarter in configuration of the firewall.
So I just tried using ufw. As far as I'm concerned, it's easier to
understand its man pages and use it from the CLI than it is to use the
gufw front end. So, I'm happy.
I guess I didn't need no stinkin' GUI.
Firestarter is pretty impressive, but it's history for me in my
particular circumstances. It looks to me as though they may have
compromised their reliability (at least for admittedly somewhat odd
cases like mine -- I realize that most people who move among multiple
networks these days are using DHCP.) by trying to provide access to so
many advanced features through the GUI. I guess it requires a lot of
conditionals testing before bringing up the firewall, and it's pretty
hard to predict all the possibilities.
If I get time this weekend, I'll do as you suggest by setting up a
system with Network Manager and Firestarter just to see if I can confirm
that the issue lies with Firestarter. If I do so, it will only be in the
hope that I just might be able to provide helpful feedback to the
I only used firestarter (and then gufw) because I didn't want to get
into using iptables for controlling netfilter, but the discovery of ufw
has given me a much easier and more satisfying solution -- even though
having "Ubuntu" firewall in Debian seems a little heretical. (I was
surprised to see it in the repositories. I kind of hope the Debian folks
don't decide to drop it.)
Thank you very, very much for your consideration, Rob. I know I've been
a pest. I'll stop arising from the grave on this one now.