On Thursday 30 December 2004 12:59, Keith Nasman wrote: > Derek Broughton wrote:
[of firestarter] > > OK, off the top: > > - it needs 22 other gnome apps I didn't want. No big deal if you're > > already using gnome. > > > > - it still can't configure an interface it isn't actively connected to. > > When I'm at work the Internet is on eth0. When I'm home, it's dpc0 and > > eth0 is the local network. There's no apparent way to save both configs > > (which shouldn't really be different, anyway, just the same rules on > > different interfaces). This is an unusual connection, but using ppp0 at > > home and eth0 at work would be _very_ common. > > There is a command line option called --generate-scripts that will dump > the current configuration into /etc/firestarter. I imagine that you can > dump the configuration at each location and then edit the init script to OK, that would help. But without Help, it's not easy to know that. > run the different configurations. How do you bring up your interfaces > at the different locations? Do you have an automated way at boot to ifupdown & hotplug. if it finds dpc0, that's my satellite modem, if not it treats eth0 as an internet connection. > select your network situation? If so, you could edit those scripts to > copy the correct configuration into the file that firestarter boots > with. Poke around in the /etc/init.d/firstarter script and the > /etc/firestarter/ directory. As you said, your rules would be the same Yeah, I could do that. Guarddog was easier. > at both locations so you could just change the IF and INIF variables in > /etc/firestarter/configuration file. > > > - without a single question about my usage, it thinks it can configure a > > firewall! Now, it's built _something_, but I don't know enough about > > iptables to be sure, but it looks awfully permissive. At the very least, > > I'm currently connected to this machine by VNC and it isn't even blocking > > me. It did block Telnet, but I usually leave that open to my desktop > > machine. > > The first time I ran it, it asked me how I wanted it set up, which > interface is external, which ports to allow incoming connections on, > etc. Did it not do this for you? Nope. No questions at all, which surprised me. > Did you have the VNC connection up when > you started the firewall? One of common rules for firewalls is to allow > traffic that was initiated from your machine. Yeah, that occurred to me after the fact. I should have tried to initiate a second VNC connection before I uninstalled firestarter. :-) > My situation is a laptop where eth1(wireless) is the "external" and eth0 > (wired) is the LAN. When playing with my test boxes on the LAN, > firestarter blocks connections on the LAN side that I've told it to. I > have to enter rules in the policy section to allow these boxes to > connect via SSH. Yes, but you need to know how the rules are entered. There's no Help. > I'm not qualified to analyze the rules generated but I'm sure you could > rest your fears on numerous mailing lists. That's not relevant. If you're not qualified (and I'm not qualified) it's even _more_ important that it be explaining what it's doing. > > - It still has no help (there's a menu entry, but it never gives me any > > help). That's not acceptable for a firewall - you need to know _why_ it > > built the rules it did (unless you understand iptables a lot better than > > I do - in which case you probably didn't need a GUI to do it). > > The Help -> Online User's Manual works for me, maybe what your system > thinks as the "default browser" isn't there. It just takes you to You're installing a firewall - you really shouldn't be online until you're comfortable with what it's doing. > > It might not be a bad firewall if you use Gnome, and if the Help actually > > works on Gnome, but imo it would be a very poor firewall for anyone else. > > It is definitely a Gnome app. That shouldn't matter at all. I use all sorts of gnome apps, but if they rely on bonobo, they'd better be darn good. I haven't found one yet that was worth the baggage. I should have also mentioned there, that it is probably OK if you only use a single interface to connect to the internet, but for people with dial-up at home and ethernet at work, it's more trouble than _I_ think it's worth. > > I'm going back to guarddog - which is also a Gnome app, but works much > > better with KDE, and runs the same startup script no matter what > > interface my connection is on. > > Choice is good isn't it :-) Yeah! -- derek -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
